Driver's License Information of Users from X, TikTok, and Uber Leaked by Identity Verification Company
Rewritten Article:
In a shocking revelation, a prominent identity verification company, AU10TIX, that has collaborated with big giants like TikTok, Uber, and others, left exposed a set of administrative login credentials on the internet for over a year, according to a report by 404 Media. These exposed credentials could potentially grant an unscrupulous individual access to sensitive data, such as images of American driver's licenses.
The company in focus, AU10TIX, offers login and identity verification services. We previously wrote about them last year, as they were working with X (formerly Twitter). At the time, Elon Musk was unveiling numerous new, contentious features, including optional user verification for Blue subscriber accounts.
For user verification on sites such as X, AU10TIX requires a variety of identifying data points, including selfies and pictures of government-issued identification documents. These details help companies ensure users are real humans, not bots, but they can become privacy concerns in situations like this.
According to 404 Media, the security lapse began when a staff member's login credentials were stolen by malware in 2022 and later uploaded to a Telegram channel. The outlet first learned of the situation from a cybersecurity researcher. The name linked with the stolen credentials matches that of a person on LinkedIn who is listed as a Network Operations Center Manager at AU10TIX, 404 reports. The credentials provided access to a logging platform, where data related to users of some client platforms seemed visible. The cybersecurity researcher shared screenshots of the accessible data, and 404 explains it as follows:
The information visible includes the person's name, date of birth, nationality, identification number, and the type of document uploaded, such as a driver's license. A subsequent link then includes an image of the identity document itself; some of these were American driver's licenses.
When contacted by Gizmodo, AU10TIX did not respond. In response to inquiries by 404 Media, the company stated, "The incident you reference occurred over 18 months ago. A comprehensive investigation was conducted, determining that employee credentials were unlawfully accessed then and were immediately revoked." However, 404 Media states that, as per the security researcher, the credentials were still functional as of this month. Once confronted with this information, AU10TIX announced plans to "decommission the relevant system" associated with the credentials.
On user data potentially being accessed, the company stated, "While PII data may have been accessible, based on our current findings, we find no signs that such data has been misused. Our clients' security is of paramount importance, and they have been notified."
AU10TIX's website lists partnerships with numerous other prominent platforms and brands, including PayPal, LinkedIn, Coinbase, eToro, and UpWork, among others.
- Despite AU10TIX's partnership with tech giants like TikTok and Uber, a security lapse exposed administrative login credentials for over a year, potentially granting unauthorized access to sensitive data, such as images of American driver's licenses.
- The controversy surrounding AU10TIX escalated when a security lapse was discovered, with malware stealing a staff member's credentials in 2022 and later being uploaded to a Telegram channel.
- As the tech world focuses on the future of digital verification, AU10TIX, known for its credentials in identity verification services, finds itself embroiled in a controversy, raising concerns about privacy and data security.
- In response to the ongoing controversy, AU10TIX has announced plans to decommission the relevant system associated with the compromised credentials and has stated that, while personal identifiable information (PII) may have been accessible, there is no evidence of misuse to date.
