Identity verification company AU10TIX kept a set of administrator credentials exposed for more than a year, possibly allowing threat actors to steal sensitive data from its customers.
AU10TIX verifies user identities on behalf of its clients, including but not limited to TikTok, X, and Uber, through selfies and scans of people's driver's licenses.
Cybersecurity researchers at spiderSilk were the first (among white hat researchers) to stumble upon the credentials. They claim that the login information grants access to a registration platform, where access to identity documents is not diminished.
Stolen credentials
“My personal reading of this situation is that an identity verification service provider was entrusted with people's identities and failed to implement simple measures to protect people's identities and sensitive identification documents,” said Mossab Hussein, spiderSilk security director.
Unfortunately, it appears that malicious players got ahead of spiderSilk, as account information was likely collected by malware in December 2022 and shared via Telegram in March 2023.
If someone accessed this database (which, according to AU10TIX, was not abused in nature), they would have gained access to people's names, dates of birth, nationalities, identification numbers, and images of their faces. This is more than enough to successfully execute identity theft phishing attacks. This data is also quite expensive on the black market.
AU10TIX said it has notified affected customers and is replacing the current operating system with a new one, with more focus on security.
It signed X as a client in September 2023, when we reported that the company had a clean record, without any public data breaches. As such, it was considered a good fit for the social media giant. However, we said we would remain skeptical given Musk's controversial decisions in the past, and we were definitely right.
Through 404 Media
