Identity verification company AU10TIX kept a number of administrator credentials exposed for over a year, potentially allowing cybercriminals to steal their customers’ sensitive data.
AU10TIX verifies users’ identities via selfies and driver’s license scans on behalf of its customers, including TikTok, X, and Uber.
Cybersecurity researchers at spiderSilk were the first (among white hat researchers) to stumble upon the credentials. They claim that the login information provides access to a logging platform, where access to the identity documents is unaffected.
Stolen login details
“My personal interpretation of this situation is that an ID verification service provider was entrusted with people’s identities and failed to implement simple measures to protect people’s identities and sensitive identity documents,” said Mossab Hussein, the Chief Security Officer at spiderSilk.
Unfortunately, it appears that malicious players were quicker than spiderSilk, as account details were likely picked up by malware in December 2022 and shared via Telegram in March 2023.
If someone were to gain access to this database (which AU10TIX claims has not been abused in the wild), they would have gained access to names, dates of birth, nationalities, ID numbers, and facial images. This is more than enough to conduct successful identity theft or phishing attacks. Such data is also quite expensive on the black market.
AU10TIX said it has informed affected customers and that the current operating system is being replaced with a new operating system that focuses more on security.
It signed X as a customer in September 2023, when we reported that the company had a clean slate, with no public data breaches. As such, it was seen as a good fit for the social media giant. However, we said we would remain skeptical given Musk’s controversial decisions in the past, and we were absolutely right.
Through 404 Media