Discord cuts ties with Peter Thiel-backed Persona after government-linked surveillance code discovery

Discord is backing away from identity verification startup Persona after researchers flagged publicly accessible code tied to government systems, sparking fresh privacy concerns about the chat platform’s safety push.

The controversy began when researchers said they found Persona’s frontend files exposed on the open internet and sitting on a U.S. government-authorized endpoint. In posts on X, the researchers claimed nearly 2,500 files were reachable without any exploit. Their review suggested Persona’s system can run facial recognition checks against watchlists and screen users against databases of politically exposed persons.

“Nearly 2,500 accessible files were found sitting on a U.S. government-authorized endpoint, researchers pointed out on X. The files showed Persona conducted facial recognition checks against watchlists and screened users against lists of politically exposed persons,” Fortune reported.

From Age Checks to Watchlists: Why Discord Ditched Persona

The findings landed at an awkward moment for Discord, which has been tightening age-verification rules across its platform. Within days of the reports circulating, Discord confirmed it had ended the test partnership. Both companies told Fortune the collaboration lasted less than a month and involved only a limited group of users.

Persona’s tooling goes far beyond basic age checks, according to the researchers’ analysis. They said the system can run 269 different verification checks, including scans for “adverse media” across 14 categories tied to issues such as terrorism and espionage. The software then generates risk and similarity scores tied to user data.

What raised eyebrows was not only the scope of the checks but the accessibility of the code. “We didn’t even have to write or perform a single exploit; the entire architecture was just on the doorstep,” the researchers wrote in their blog. They said they located 53 megabytes of data on a Federal Risk and Authorization Management Program (FedRAMP) endpoint that “tags reports with codenames from active intelligence programs.”

Persona CEO and cofounder Rick Song pushed back on the alarm. He told Fortune the material was publicly available frontend information rather than a security flaw. “What was found was uncompressed files of a front end that’s already on every single person’s device,” Song said, adding that similar information appears in the company’s help center and API documentation. “I don’t think having uncompressed files online is good,” he said, though he maintained the situation was overstated and not treated internally as a major vulnerability.

Discord said only a small number of users participated in the pilot. The company added that any submitted information could be retained for up to seven days before deletion.

The episode adds to a growing list of privacy headaches for Discord. The platform, widely used by gamers, students, creators, and tech communities, has increasingly relied on third-party vendors to support its trust and safety roadmap.

Discord Halts Persona Age Verification Test After Researchers Flag Watchlist Checks

Last year, hackers accessed government IDs belonging to more than 70,000 users who had completed age verification. Discord said at the time the incident stemmed from a breach at vendor 5CA rather than its own systems. The company said only users who interacted with Customer Support or Trust and Safety were affected.

“At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information,” the company said in an October 9, 2025, statement. Impacted users were notified if government IDs, IP addresses, or limited billing data were exposed.

Tensions flared again earlier this month when Discord announced plans to default accounts into teen safety settings. Users seeking access to certain features must verify their age through Persona. The move drew immediate pushback from parts of the community that were already wary after the prior data incident.

“Rolling out teen-by-default settings globally builds on Discord’s existing safety architecture,” Discord Head of Product Policy Savannah Badalich said at the time, adding the company would keep working with safety experts, policymakers, and its user base on long-term wellbeing efforts.

Within a day of the backlash, Discord updated its messaging. The company clarified that age verification would remain optional except for users trying to enter age-restricted spaces. It said most users’ ages could be estimated using existing account signals, allowing many to avoid uploading government IDs. Users could instead choose video selfie verification.

“We offer multiple privacy-forward options through trusted partners,” the company said, adding “facial scans never leave your device. Discord and our vendor partners never receive it.”

Discord maintains that any identifying documents are sent to third-party vendors and deleted quickly. “In most cases, immediately after age confirmation,” the company said. “IDs are used to get your age only and then deleted. Discord only receives your age — that’s it. Your identity is never associated with your account.”

An archived version of Discord’s FAQ appears to present a more nuanced picture. The page said UK users in certain experiments could have their information processed by Persona and stored temporarily for up to seven days before deletion.

Persona, which counts OpenAI, Lime, and Roblox among its customers, has been working through FedRAMP authorization as it pushes deeper into workforce identity and compliance products. Song stressed that the long list of verification checks represents optional capabilities rather than features every customer deploys.

Over the weekend, Song posted on X denying any relationship between Persona and Palantir, ICE, or government surveillance programs. He said speculation circulating online had led to threats against company employees. “We have no relationship whatsoever with ICE, Palantir,” he wrote in a screenshot of an email exchange with a researcher.

Song added that the anger had spilled onto staff members who recently joined the company. “I don’t think these people are the ones that the public’s ire should be directed at, and if anyone, it should be directed at me.”

The CEO faced criticism of his own after users pointed out his LinkedIn profile shows a verification badge without a profile photo, a detail that drew attention, given that Persona handles LinkedIn identity verification. Song responded bluntly on X: “I am verified. That’s the entire point. It’s dystopian that we want people to facedox themselves to everyone to be real online. It’s ironic that folks posting about privacy want me to facedox to everyone.”

For Discord, the short-lived Persona experiment shows how sensitive age verification has become. Platforms face growing pressure to prove users are who they claim to be. Every new safeguard now carries its own scrutiny, especially when facial recognition and government-adjacent systems enter the picture.