The Discord data breach that exposed government ID images has prompted renewed scrutiny of centralized verification systems, with several industry experts pointing to zero-knowledge proofs (ZKPs) as a viable alternative to storing sensitive identity data.
The company confirmed that an unauthorized actor gained access to a third-party customer service provider’s systems, exposing a limited number of users’ data, The Guardian reported.
Among the information compromised were usernames, emails, billing details, IP addresses, and in some cases, government ID images such as passports and driver’s licenses submitted for age verification.
Discord said it revoked the provider’s access and engaged law enforcement following the incident.
Industry figures say the breach reveals a broader problem in how online platforms handle identity verification, one rooted in the practice of collecting and storing personal documents.
Speaking with Yellow.com, Varun Kabra, Chief Growth Officer at Concordium, noted that such risks can be significantly reduced when platforms avoid storing sensitive information altogether.
He explained that zero-knowledge proof systems enable verification of user attributes, such as age or jurisdiction, without requiring platforms to access or retain identification documents.
“Users maintain encrypted credentials in their local wallets, while certified identity providers keep secure copies for compliance,” Kabra said. “If Discord had used ZK credentials for age verification instead of storing ID scans, the recent breach would have exposed no personal identification data.”
Arthur Firstov, Chief Business Officer at Mercuryo, said the Discord case illustrates how central databases continue to be attractive targets for attackers.
“Once sensitive information is held in a database, it becomes a target,” he said, adding that ZKPs offer a path to prevent this by allowing verification without collection of personal details.
“With ZKPs, a platform could confirm that someone meets certain requirements, but the actual data never leaves the user’s control. That means there’s nothing valuable to steal in the first place.”
For many privacy advocates and security professionals, the breach also reinforces the need to rebuild digital trust through privacy-first verification systems.
Firstov added that the wider use of zero-knowledge technology could help achieve that.
“Privacy is what gives people and businesses confidence to interact online, and zero-knowledge technology enables that by proving trust without revealing information,” he said.
Wes Kaplan, CEO of G-Knot, said the breach exemplifies a predictable weakness in the digital identity landscape.
“Collecting centralized, sensitive data is a liability,” he said.
Kaplan noted that if Discord’s age verification process had relied on cryptographic attestations rather than document uploads, there would have been no exploitable database of personal IDs.
“For widely used platforms, the transition to ZK-enabled identity verification is no longer theoretical; it is becoming necessary,” he added. “In a world where data breaches are inevitable, the only real defense is making identity unstealable.”
Discord, which has over 200 million monthly active users, has been using facial age assurance tools in markets such as the UK and Australia.
Under Australia’s forthcoming under-16s social media regulations, platforms are expected to offer multiple age-verification options and appeal processes.
But experts say that unless the industry moves away from document-based verification systems entirely, breaches of this kind will continue to expose users to unnecessary risk.