AU10TIX, an Israel-based identity verification company that works with major tech platforms like TikTok, Uber, and X (formerly Twitter), inadvertently exposed a set of administrative credentials online for more than a year.
There was a security loophole that may have permitted unauthorized access to private user information, such as facial images and driver’s licenses used for identity confirmation.
The exposed credentials provided direct access to a logging platform containing links to identity documents and verification process results, such as “liveness” checks.
The compromised data included names, dates of birth, nationalities, ID numbers, and document images—information that, if obtained by malicious actors, could enable identity theft.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Evidence suggests that the exposed credentials were collected by malware in December 2022 and shared on a Telegram channel in March 2023, as indicated by timestamps and messages obtained by 404 Media.
While AU10TIX claims the system containing the exposed data has been decommissioned and there is no evidence of data exploitation, the potential impact on user privacy remains a concern.
The incident highlights the risks associated with the growing trend of social networks and online platforms requiring users to upload identity documents for verification purposes. X, for example, began requiring premium users to share government-issued IDs in 2024, two years after the initial credential exposure.
“Mossab Hussein, a chief security officer at spiderSilk cybersecurity firm and the first to identify the exposed credentials expressed concern over AU10TIX’s failure to implement basic security measures to safeguard users’ identities and confidential documents”.
The company has since informed affected customers and is transitioning to a new operating system with a heightened focus on security.
Some of AU10TIX’s partners, such as Upwork, had already switched to alternative verification providers before the incident. Others, like Fiverr and Coinbase, stated they were unaware of any data exposure but continue collaborating with AU10TIX.
As more online platforms move towards identity and age verification models, this breach underscores the importance of robust security measures to protect sensitive user data.
The increasing trend of hackers disclosing customer data on platforms like Telegram and the dark web further emphasizes the need for stringent data protection practices.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free