The European Commission's age verification app was hacked roughly two minutes after its launch.

Error detected

The claim states the app was hacked roughly two minutes after launch. In reality, the hack took place roughly one day after the 15 April 2026 launch. The 'two minutes' refers to the time it took to execute the bypass, not the elapsed time since launch.

Omissions

• The claim conflates the duration of the hack (under two minutes to execute the bypass) with the time elapsed since launch. The app was launched on 15 April 2026 and hacked on 16 April 2026 — approximately one day later, not two minutes after launch.
• The hack was demonstrated by UK-based security consultant Paul Moore, who published a video on X showing a full authentication bypass by editing a plain-text configuration file.
• The app had been described by the Commission as 'feature ready' and 'technically ready' at launch.

Sources

• PrimaryEuropean CommissionThe European Commission announced on 15 April 2026 that a new age verification app designed to protect children online was ready for deployment.
• PrimaryEuropean Commission – Digital StrategyThe Commission made available a blueprint for an age verification solution on 14 July 2025. It became a feature-ready age verification solution on 15 April 2026.
• SecondaryEU PerspectivesOn 16 April, UK-based security consultant Paul Moore published a video on X showing a full bypass of the app's authentication in under two minutes. The app had been launched the previous day, 15 April 2026.
• SecondaryProtonBy Thursday (16 April 2026), security consultant Paul Moore had bypassed the app's protections in under two minutes, after the EU unveiled the age verification app and called it technically ready.