Brussels Launched an Age Checking App. It Took 2 Minutes to Hack It.

The European Union’s push for stricter online safety has culminated in the Digital Services Act, which obliges platforms to verify users’ ages before granting access to age‑restricted content. To meet this mandate, the Commission rolled out a centralized mobile app, positioning it as a pan‑EU solution that could streamline compliance for publishers and protect minors from harmful material. Industry observers had praised the initiative as a step toward a unified digital market, but the rollout exposed a critical tension between rapid policy implementation and robust technical design.

Within two minutes of its public debut, a team of independent security analysts broke into the app’s backend, uncovering hard‑coded API keys, unencrypted personal data, and a lack of proper authentication checks. These vulnerabilities not only contravene the EU’s own GDPR requirements for data protection but also risk exposing millions of users to identity theft and profiling. The ease of exploitation underscores a broader issue: many government‑backed digital tools are built on legacy codebases without rigorous penetration testing, leaving them susceptible to the same threats that plague commercial software.

The fallout from the hack is already reshaping the regulatory conversation. Lawmakers are now demanding a transparent audit of the app’s architecture and a clear timeline for remediation, while consumer groups warn that premature deployment could erode public trust in digital safety measures. Tech firms that had prepared to integrate the verification system must now reassess their compliance roadmaps, potentially delaying product launches. In the long run, the incident may prompt the EU to adopt a more collaborative development model, involving cybersecurity experts early in the design phase to ensure that future tools meet both policy goals and security standards.