Messaging platform Discord has said the official ID photos of around 70,000 users have been stolen by hackers.
The app, which is popular with gamers and teenagers, said the hackers targeted a firm responsible for verifying the ages of its users. Discord said its own platform was not breached.
The stolen data could include personal information, partial credit card numbers and messages with Discord's customer service agents, the firm said.
No full credit card details, passwords or messages and activity beyond conversations with Discord customer support were leaked, it added.
Discord said it had revoked the third-party service's access and was continuing to investigate. It said all affected users have been contacted.
"Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious," it said.
Until recently, a hack like this could not have happened, because companies had no need to process and collect proofs of age.
Now, so many governments are following the UK and introducing age verification for unsuitable or pornographic content that a company like Discord has to roll out age checks for a decent portion of its 200 million active users.
It's a bit like the way that shops have to check your age if you're buying alcohol - only because it's online, it comes with a lot of additional complications.
A shop, for instance, won't keep a copy of your passport once they've checked your age.
And it definitely won't keep it in a massive (yet strangely light) safe along with thousands of other passport photocopies, stored right by its front door, ready to be taken.
Online, it's surprisingly easy to do just that.
Read more on Sky News:
AI 'distorting women online'
Pros and cons of digital IDs
Impact of new online safety rules
It's worth noting that the age verification system used by Discord wasn't hacked itself. That system asked people to take a photo of themselves, then used software to estimate their age. Once the check was complete, the image was immediately deleted.
The problem came with the appeals part of the process, which was supplied to Discord by a third party.
If someone thought that the age verification system had wrongly barred them from Discord they could send in a picture of their ID to prove their age. This collection of images was hacked. As a result, Discord says, more than 70,000 IDs are now in the possession of hackers.
(The hackers themselves claim that the number is much bigger - 2,185,151 photos. Discord says this is wrong and the hackers are simply trying to extort money. It's a messy situation.)
There are ways to make age verification safer. Companies could stop storing photo ID, for instance (although then it would be impossible to know for sure if their checks were correct).
And advocates of ID cards will point out that a proper government ID could avoid the need to send pictures of your passport simply to prove your age. You'd use your digital ID instead, which would stay safely on your device.
But the best way to stop data being hacked is not to collect it in the first place.
We're at the start of a defining test - can governments actually police the internet? Or will the measures that are supposed to make us safer actually end up making us less secure?