An ID verification company that works on behalf of TikTok, X and Uber, among others, has left a set of administrative credentials exposed for more than a year, . The Israel-based AU10TIX verifies the identity of users by using pictures of their faces and drivers’ licenses, potentially opening up both to hackers.
“My personal reading of this situation is that an ID Verification service provider was entrusted with people’s identities and it failed to implement simple measures to protect people’s identities and sensitive ID documents,” Mossab Hussein, the chief security officer at cybersecurity firm spiderSilk who originally noticed the exposed credentials, said.
The set of admin credentials that were left exposed led right to a logging platform, which in turn included links to identity documents. There’s even some reason to suspect that bad actors got ahold of these credentials and actually used them.
They appear to have been scooped up by malware in December 2022 and placed on a Telegram channel in March 2023, according to timestamps and messages acquired by 404 Media. The news organization downloaded the credentials and found a wealth of passwords and authentication tokens linked to someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX.
If hackers got ahold of customer data, it would include a user’s name, date of birth, nationality, ID number and images of uploaded documents. It’s pretty much all an internet gollum would need to steal an identity. All they would have to do is snatch up the credentials, log in and start wreaking havoc. Yikes.
AU10TIX has issued a statement on the matter, writing that the “data was potentially accessible” but that it sees “no evidence that such data has been exploited.” The company said that impacted customers have been notified and that it’s decommissioning the current operating system in favor of a new one that focuses more on security.
Some of its partners switched verification companies before this issue popped up. A spokesperson for Upwork said that it has “been working with a different service provider for some time now.” X, however, just signed up with AU10TIX and it uses government-issued IDs to verify premium users. Others, like Fiverr and Coinbase have said they aren’t aware of any data exposure, though they still work with AU10TIX.
Dumping customer data on Telegram or on the dark web has become the most popular way for hackers to do their thing. Back in late March, over 73 million AT&T passwords . LoanDepot , as did the .
