A data breach has struck AU10TIX, an identity verification service used by major platforms including TikTok, Uber, and X (formerly Twitter), underscoring the inherent privacy and security risks of such services.
According to an exclusive report by 404 Media, administrative credentials left exposed for over a year allowed unauthorized access to sensitive user information, emphasizing the inherent privacy dangers in mandated identity verification laws.
AU10TIX, an Israeli company specializing in identity verification solutions, processes various personal documents such as driver’s licenses and photographs for clients like TikTok, Uber, and X. The breach, discovered by cybersecurity researcher Mossab Hussein of spiderSilk, exposed credentials that provided access to a logging platform. This platform contained links to the personal data of individuals who had uploaded identity documents, including names, birthdates, nationalities, identification numbers, and images of their IDs.
The exposed credentials were reportedly harvested by malware in December 2022 and posted to a Telegram channel in March 2023. Hussein noted that despite AU10TIX’s claims of rescinded access, the credentials remained active until recently.
AU10TIX acknowledged the incident, stating it occurred over 18 months ago and that measures were taken to rescind the compromised credentials. AU10TIX assured that they have started decommissioning the affected system and replacing it with a more secure solution. However, the ongoing accessibility of these credentials until June 2024 raises questions about the company’s security practices and honesty in general.
Platforms like Upwork and Fiverr, listed on AU10TIX’s website, have responded to the breach with varying levels of concern. While Fiverr remains a client, Upwork has moved to a different service provider. Coinbase, another client, stated it is monitoring the situation and is unaware of any data exposure.
ID verification as another point of risk
This breach has broader implications as more social networks and websites implement age and identity verification requirements in the U.S. and worldwide. The Electronic Frontier Foundation (EFF) responded strongly, emphasizing that age verification systems pose significant privacy risks.
“Hacks and data breaches of this sensitive information are not a hypothetical concern; it is simply a matter of when the data will be exposed, as this breach shows,” stated Jason Kelley from the EFF.
EFF’s concerns are magnified by legislative pushes for stricter age verification laws, such as the federal Kids Online Safety Act and California’s Assembly Bill 3080. These laws mandate the collection of personal data, which, if breached, can lead to severe consequences like:
- Identity theft
- Fraud
- Blackmail
- Loss of anonymity
The AU10TIX incident is a stark reminder of the potential fallout from such mandates.
The breach underscores the need for more robust cybersecurity measures and a reevaluation of policies requiring extensive data collection to use online services. As hackers target identity verification services, minimizing unnecessary data collection and enhancing protective measures are crucial to safeguarding user privacy and security.
Unfortunately, there’s not much internet users can do to mitigate the risk of data exposure while also complying with legal requirements on identity verification. More often than not, going through a verification process on a platform, no matter how trusted and reputable, means indirectly submitting your data to unknown entities like AU10TIX.