Identity Verification Firm Used by X, TikTok, and Uber Exposed Users' Driver's Licenses

A salient individuality verification steadfast that has contracted with TikTok, Uber, X, and different ample platforms, near a acceptable of administrative login credentials exposed to the net for much than a year, according to a report from 404 Media. The credentials could person allowed a atrocious histrion to entree delicate idiosyncratic information, including images of Americans’ driver’s licenses, the outlet writes.

The institution successful question, AU10TIX, provides login and ID verification services. We wrote astir it past year, arsenic it was partnering with X (formerly Twitter). At the time, Elon Musk was rolling retired a fig of new, arguable features, including optional idiosyncratic verification for Blue subscriber accounts.

To verify users connected sites similar X, AU10TIX asks for a fig of identifying information points, including selfies and pictures of government-issued IDs. These information points assistance a institution corroborate that a idiosyncratic is simply a existent idiosyncratic and not a bot, but they tin go a privateness liability successful a concern similar this.

404 Media writes that the debacle started due to the fact that an AU10TIX staffer’s login credentials were harvested by malware successful 2022 and aboriginal posted to a Telegram channel. The outlet was initially alerted to the concern by a cybersecurity researcher. The sanction associated with the stolen credentials matched the sanction of a idiosyncratic connected LinkedIn who is listed arsenic a Network Operations Center Manager astatine AU10TIX, 404 writes. The credentials allowed introduction into a logging platform, wherever information related to the users of immoderate lawsuit platforms appeared to beryllium visible. The cybersecurity researcher provided screenshots of the information that could beryllium accessed utilizing the credentials, and 404 breaks it down similar this:

The accessible accusation includes the person’s name, day of birth, nationality, recognition number, and the benignant of papers uploaded specified arsenic a drivers’ license. A consequent nexus past includes an representation of the individuality papers itself; immoderate of those are American drivers’ licenses.

Gizmodo reached retired to AU10TIX for remark and volition update this communicative if it responds. When reached for remark by 404 Media, the company told the outlet that “the incidental you cited happened implicit 18 months ago. A thorough probe determined that worker credentials were illegally accessed past and were promptly rescinded.” However, 404 Media claims that, according to the information researcher, the credentials inactive worked arsenic of this month. When confronted with that information, AU10TIX said it was “decommissioning the applicable system” linked to the credentials.

On the taxable of idiosyncratic information perchance having been accessed, the institution said: “While PII information was perchance accessible, based connected our existent findings, we spot nary grounds that specified information has been exploited. Our customers’ information is of the utmost importance, and they person been notified.”

According to AU10TIX’s website, it has partnered with galore different large, salient platforms and brands, including PayPal, LinkedIn, Coinbase, eToro, and UpWork, among others.