Discord revealed on Wednesday that approximately 70,000 users may have had sensitive personal data — including government ID photos and IP addresses — exposed after hackers breached a third-party vendor responsible for handling the platform’s age-related appeals process.

The exposed data came from users who submitted selfies alongside government IDs to verify their age after Discord flagged their accounts for being potentially underage or to comply with regional age verification laws. The company said it has contacted affected users and confirmed that no other internal Discord systems were compromised.

However, cybersecurity outlet 404 Media reported that the breach might be far larger than Discord’s initial estimates. Hackers allegedly claim to have stolen 1.5 terabytes of data, which could include significantly more than the reported 70,000 images. In response, a Discord spokesperson told The Verge that these claims are “incorrect and part of an extortion attempt.”

The incident has reignited debate over digital privacy and age verification mandates, which critics say force users to share highly sensitive data with companies that may lack sufficient protection. These verification laws have been implemented in nearly half of U.S. states, primarily targeting adult content platforms. In some cases, sites like Pornhub have chosen to block users entirely from states enforcing such rules.

The U.K.’s Online Safety Act, which came into effect in July, extends similar age verification requirements to mainstream platforms including YouTube, Spotify, Google, X (formerly Twitter), and Reddit.

Discord’s data breach underscores the risks associated with mandatory digital ID collection, raising urgent questions about data security, privacy standards, and the balance between safety and user protection in online spaces.