Discord has cut ties with Persona, its identity verification software, after researchers discovered that its front-end code was publicly accessible — even on U.S. government servers.

On Feb. 16, 2026, researchers on X reported in a blog post that nearly 2,500 files were exposed on a government-authorized endpoint. The files revealed that Persona, an AI-driven verification platform partially funded by Palantir cofounder Peter Thiel’s venture firm Founders Fund, conducted facial recognition checks and screened users against politically sensitive watchlists, Fortune reports.

Beyond verifying age, Fortune reports that Persona runs 269 different verification checks, including monitoring for negative media coverage across categories such as terrorism and espionage, then assigns risk and similarity scores to user information.

“We didn’t even have to write or perform a single exploit; the entire architecture was just on the doorstep,” a researcher wrote, per Fortune. The researchers reportedly found 53 megabytes of data on a Federal Risk and Authorization Management Program (FedRAMP) government endpoint, including reports tagged with “codenames from active intelligence programs.”

Persona CEO Responds

In response, Persona CEO and cofounder Rick Song told Fortune that the exposed files were not a security vulnerability, but publicly accessible front-end information.

“What was found was uncompressed files of a front end that’s already on every single person’s device,” he said.

Song acknowledged that while the files being online wasn’t ideal, internally the company did not consider it a major vulnerability.

Song denied claims that Persona links facial biometrics to financial records or law enforcement databases, or has any connection to Palantir or the United States government, including Immigration and Customs Enforcement. He told Fortune that the company is pursuing FedRAMP authorization, which involves a separate set of verification measures for employees compared with those used by social media platforms to verify users’ ages.

He also clarified that while Persona offers 269 types of verification checks, clients do not necessarily need to use all of them.

Both Persona and Discord confirmed that their partnership lasted less than a month and has since ended, Fortune reports. Still, Song considers it a success.

“I think the performance of the product did incredibly well,” Song told the outlet. “The reason why we were able to say that all data was redacted immediately is because the data was redacted; it had already been redacted upon processing. It’s not like it was due to the termination of the contract that we delete the data. It’s deleted immediately after a verification of the individual.”

Discord Data Breach Controversy

Discord supports over 200 million monthly users, per its website. The timing of this data breach comes as the communication platform faces renewed scrutiny over user privacy.

As AFROTECH™ previously reported, Discord faced backlash earlier this month after announcing it would soon implement “teen-by-default” settings globally. The change requires age verification via Persona to access age-restricted features.

Despite promises that Persona would quickly delete and never store uploaded documents and media, users cited an October 2025 data breach that exposed over 70,000 government IDs.

Discord released a statement on the breach on Oct. 9, 2025, attributing the mishap to its former third-party service provider, 5CA.

“Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers,” Discord said, noting that the hackers breached its Customer Support and/or Trust & Safety systems.

Discord said it took immediate action upon learning of the attack, revoking the provider’s access, launching an internal investigation with a forensics firm, and involving law enforcement.

“At Discord, protecting the privacy and security of our users is a top priority,” the company said in the statement. “That’s why it’s important to us that we’re transparent with them about events that impact their personal information.”