Persona, a third-party age verification provider used by platforms like Reddit to comply with laws such as the UK’s *Online Safety Act* and Arizona’s age verification requirements, faces critical cybersecurity risks. Users are required to upload sensitive identification documents (e.g., passports, driver’s licenses) to verify age, exposing them to potential data breaches. If hacked, attackers could steal these IDs, enabling identity theft, fraud, and financial crimes (e.g., opening bank accounts, applying for loans, or creating fake IDs in victims' names). While Persona claims to delete verification data within 7 days, other third-party services may retain data longer, increasing exposure under laws like the US Patriot Act, where governments could compel data handover. Additionally, stolen IDs could fuel hyper-realistic phishing scams, where attackers leverage verified personal details to extort victims by threatening to leak sensitive information. The breach of such high-value data combined with the lack of uniform retention policies across providers amplifies risks of large-scale fraud and reputational damage for both users and the companies relying on these services.
TPRM report: https://www.rankiteo.com/company/persona-identities
"id": "per5080350102825",
"linkid": "persona-identities",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Reddit and other '
'platforms complying with age '
'verification laws',
'industry': 'Identity Verification',
'location': 'United States',
'name': 'Persona (age verification provider)',
'type': 'Third-Party Service'},
{'customers_affected': 'UK/US users subject to age '
'verification',
'industry': 'Technology',
'location': 'United States',
'name': 'Reddit',
'size': 'Public company (NYSE: RDDT)',
'type': 'Social Media Platform'},
{'customers_affected': 'Users in Arizona (US) and UK',
'industry': 'Adult Entertainment',
'location': 'Global (various jurisdictions)',
'name': 'Adult websites (e.g., Pornhub, OnlyFans)',
'type': 'Content Platform'},
{'customers_affected': 'All users subject to Online '
'Safety Act',
'location': 'United Kingdom',
'name': 'UK Residents',
'type': 'Consumer Group'},
{'customers_affected': 'Users accessing adult content',
'location': 'United States (Arizona)',
'name': 'Arizona Residents',
'type': 'Consumer Group'}],
'attack_vector': ['Exploitation of third-party verification systems',
'Dark web sale of stolen ID data',
'Patriot Act-compelled data disclosure (US jurisdiction)',
'Phishing campaigns leveraging stolen PII',
'Malicious insider threats at verification providers'],
'customer_advisories': ['Avoid uploading full ID scans unless absolutely '
'necessary; use platforms with minimal data policies.',
'Check if your state/country has age verification '
'laws and understand the risks before complying.',
'Use dedicated email addresses and virtual credit '
'cards for age-gated sites to limit exposure.'],
'data_breach': {'data_encryption': 'Unclear (dependent on third-party '
'provider practices)',
'data_exfiltration': 'Likely (high dark web value for full ID '
'scans)',
'file_types_exposed': ['JPEG/PNG (ID scans)',
'JSON (verification metadata)',
'PDF (archived documents)'],
'number_of_records_exposed': 'Potential: Millions (scalable '
'with adoption of age '
'verification laws)',
'personally_identifiable_information': ['Full name',
'Date of birth',
'Address',
'ID numbers '
"(passport/driver's "
'license)',
'Biometric templates'],
'sensitivity_of_data': 'Extreme (enables identity theft, '
'financial fraud, and blackmail)',
'type_of_data_compromised': ['Government IDs '
"(passport/driver's license "
'scans)',
'Biometric data (selfies for '
'facial recognition)',
'PII (name, DOB, address)',
'Metadata (IP addresses, access '
'timestamps)']},
'description': "The implementation of age verification laws (e.g., UK's "
"Online Safety Act, Arizona's adult website restrictions) has "
'led to increased reliance on third-party age verification '
'services, raising significant cybersecurity risks. Key '
'concerns include data breaches involving government-issued '
"IDs (e.g., passports, driver's licenses), identity theft, "
'fraud, cross-border data jurisdiction issues (e.g., US '
'Patriot Act compelling data disclosure), and heightened '
'phishing/scam risks leveraging stolen verification data. '
'Users are increasingly turning to VPNs to bypass '
'restrictions, while third-party services like Persona (used '
'by Reddit) face scrutiny over data retention policies (e.g., '
'7-day deletion claims). The sensitive nature of the '
'data biometric likenesses, PII, and ID documents makes these '
'systems high-value targets for cybercriminals, with potential '
'for dark web sales, synthetic identity fraud, and extortion '
'scams.',
'impact': {'brand_reputation_impact': 'Severe for platforms using unverified '
'third-party services; potential '
'boycotts',
'conversion_rate_impact': 'Potential decline in user sign-ups due '
'to privacy concerns',
'customer_complaints': 'Expected surge in complaints related to '
'privacy violations and ID theft',
'data_compromised': ["Government-issued IDs (passports, driver's "
'licenses)',
'Biometric data (facial recognition scans)',
'PII (names, addresses, dates of birth)',
'Behavioral data (site access patterns)'],
'financial_loss': 'Potential: High (identity theft, loan fraud, '
'credit score damage per victim; fines for '
'non-compliance with data protection laws)',
'identity_theft_risk': 'High (stolen IDs enable synthetic '
'identities, credit fraud, criminal '
'impersonation)',
'legal_liabilities': ['Violations of GDPR (EU), CCPA (California), '
'or sector-specific laws (e.g., COPPA)',
'Class-action lawsuits from affected users',
'Patriot Act conflicts (US vs. UK data '
'sovereignty)'],
'operational_impact': ['Loss of user trust in age-gated platforms',
'Increased customer support costs (fraud '
'disputes, breach notifications)',
'Regulatory scrutiny for non-compliant data '
'handling'],
'payment_information_risk': 'Indirect (if linked accounts are '
'compromised via ID-based password '
'resets)',
'revenue_loss': ['Reduced ad revenue (if users bypass age gates '
'via VPNs)',
'Legal penalties for data breaches (e.g., GDPR '
'fines up to 4% of global revenue)'],
'systems_affected': ['Third-party verification platforms (e.g., '
'Persona)',
'Adult websites/social media (e.g., Reddit)',
'Government databases (if IDs are linked)',
'VPN services (due to circumvention '
'attempts)']},
'initial_access_broker': {'backdoors_established': 'Potential (e.g., '
'persistent access to '
'verification databases)',
'data_sold_on_dark_web': 'Likely (ID scans fetch '
'$20–$100 per record; bulk '
'discounts for large '
'breaches)',
'entry_point': ['Compromised verification APIs',
'Insider threats at third-party '
'providers',
'Exploited vulnerabilities in ID '
'upload portals'],
'high_value_targets': ['Full ID scans '
"(passport/driver's license)",
'Biometric databases',
'Linked account credentials '
'(if verification ties to '
'social media)'],
'reconnaissance_period': 'Ongoing (as laws roll out '
'globally)'},
'investigation_status': 'Ongoing (no specific breach confirmed; risks are '
'theoretical but highly probable)',
'lessons_learned': ['Third-party verification introduces systemic privacy '
'risks that outweigh compliance benefits.',
'Cross-border data flows conflict with regional privacy '
'laws (e.g., US Patriot Act vs. GDPR).',
'Minimal data collection (e.g., age tokens vs. full IDs) '
'reduces exposure without sacrificing compliance.',
'User education on phishing risks is critical when '
'sensitive data is involved in verification.',
'VPN adoption as a circumvention tool highlights the '
'unintended consequences of age verification laws.'],
'motivation': ['Financial gain (identity fraud, loan scams, dark web sales)',
'Espionage (government access to citizen data)',
'Reputation damage (to verification providers or regulated '
'platforms)',
'Social engineering (credibility in phishing campaigns)'],
'post_incident_analysis': {'corrective_actions': ['Replace ID scans with '
'privacy-preserving '
'alternatives (e.g., '
'anonymous age tokens).',
'Legislate maximum data '
'retention periods (e.g., '
'24 hours).',
'Require independent '
'security audits for '
'verification providers.',
'Fund research into '
'decentralized identity '
'solutions.'],
'root_causes': ['Over-reliance on third parties '
'without adequate oversight.',
'Lack of global standards for age '
'verification data handling.',
'Legislative focus on compliance '
'over user privacy (e.g., '
'mandating ID uploads without '
'safeguards).',
'Incentive misalignment (providers '
'profit from data collection, not '
'protection).']},
'recommendations': [{'for_governments': ['Mandate data minimization in age '
'verification (e.g., cryptographic '
'age proofs instead of ID scans).',
'Require third-party audits and '
'certification for verification '
'providers.',
'Harmonize data protection standards '
'across jurisdictions to avoid '
'conflicts like Patriot Act vs. '
'GDPR.']},
{'for_companies': ['Implement decentralized verification '
'(e.g., zero-knowledge proofs).',
'Enforce strict 24–72 hour data '
'deletion policies post-verification.',
'Provide clear opt-out mechanisms and '
'transparency reports.',
'Use VPN-blocking resistance measures '
'sparingly to avoid driving users to '
'less secure alternatives.']},
{'for_users': ['Use VPNs with audited no-log policies '
'(e.g., NordVPN) if bypassing '
'restrictions.',
'Monitor credit reports and identity theft '
'services post-verification.',
'Avoid reusing passwords linked to '
'verified accounts.',
'Demand transparency from platforms about '
'third-party data handling.']}],
'references': [{'source': "Tom's Guide – NordVPN Review",
'url': 'https://www.tomsguide.com/reviews/nordvpn'},
{'source': 'UK Online Safety Act 2023',
'url': 'https://www.legislation.gov.uk/ukpga/2023/50/contents'},
{'source': 'Arizona HB 2586 (Age Verification Law)',
'url': 'https://www.azleg.gov/legtext/56leg/1R/bills/HB2586P.pdf'},
{'source': 'Persona Identity Verification – Data Practices',
'url': 'https://withpersona.com/legal/privacy-policy'},
{'source': 'EFF – Risks of Age Verification Online',
'url': 'https://www.eff.org/deeplinks/2023/09/age-verification-laws-are-dangerous-and-unconstitutional'}],
'regulatory_compliance': {'fines_imposed': 'Potential: Up to 4% of global '
'revenue (GDPR) or £17.5M (UK DPA)',
'legal_actions': ['Class-action lawsuits from '
'affected users',
'Regulatory investigations by ICO '
'(UK) or FTC (US)',
'Challenges under Patriot Act for '
'US-based providers'],
'regulations_violated': ['GDPR (if EU citizen data '
'is mishandled by US '
'providers)',
'UK Data Protection Act '
'2018',
'California Consumer '
'Privacy Act (CCPA)',
"Arizona's age "
'verification law (if '
'implementation is '
'non-compliant)',
'Online Safety Act (UK) – '
'potential non-compliance '
'with data minimization'],
'regulatory_notifications': ['Mandatory breach '
'notifications under '
'GDPR/CCPA if data is '
'exposed']},
'response': {'communication_strategy': ['Public awareness campaigns on '
'phishing risks',
'Transparency reports from '
'verification providers (e.g., '
'government data requests)'],
'containment_measures': ["Persona's 7-day data deletion policy",
'Encouraging platforms to use minimal '
'PII for verification',
'VPN usage to bypass restrictions '
'(user-side mitigation)'],
'enhanced_monitoring': ['Dark web monitoring for leaked IDs',
'Anomaly detection in verification APIs'],
'remediation_measures': ['Advocacy for stricter third-party '
'audits',
'Push for decentralized verification '
'(e.g., blockchain-based age proofs)',
'Legislative lobbying to limit data '
'retention periods'],
'third_party_assistance': ['Privacy International (advocacy)',
'Electronic Frontier Foundation '
'(legal analysis)']},
'stakeholder_advisories': ['Warn investors in verification providers about '
'regulatory and reputational risks.',
'Advise advertisers on platforms with age gates '
'about potential brand safety issues.',
'Alert payment processors to monitor for fraud '
'linked to stolen IDs.'],
'threat_actor': ['Cybercriminal syndicates (for data theft/sale)',
'State-sponsored actors (via Patriot Act or similar)',
'Opportunistic scammers (phishing/extortion)',
'Dark web marketplaces (for PII trading)'],
'title': 'Cybersecurity Risks of Third-Party Age Verification Services Under '
'New Online Safety Laws',
'type': ['Data Breach Risk',
'Privacy Violation',
'Third-Party Risk',
'Phishing/Social Engineering'],
'vulnerability_exploited': ['Inadequate data retention/deletion policies',
'Cross-border data storage without '
'GDPR-equivalent protections',
'Lack of end-to-end encryption for ID uploads',
'Weak authentication in verification APIs',
'Over-collection of sensitive PII (e.g., full ID '
'scans vs. minimal verification)']}