If there’s one type of company you definitely don’t want to see left vulnerable to hackers it’s an identity verification service with access to photo ID documents like driver’s licenses – but that’s exactly what appears to have happened with AU10TIX.
The cybersecurity company’s past or present clients include PayPal, Coinbase, X, TikTok, Uber, LinkedIn, Upwork, and Fiverr …
Identity verification companies
There are times when companies need to positively identify their users, such as complying with money laundering regulations and enabling people to recover their accounts. A common way to do this is to require users to upload photo ID, like a driver’s license or passport.
In some cases, companies additionally ask for a video of the user showing their face from different angles so this can be compared with the photo to ID to ensure that it hasn’t fallen into the wrong hands.
A number of major companies choose to outsource this task to external companies, and Israel-based AU10TIX is one of the best-known.
AU10TIX exposed admin credentials
404 Media reports that AU10TIX inadvertently exposed admin credentials which allowed access to a hacker’s treasure trove of personal data.
[AU10TIX] exposed a set of administrative credentials online for more than a year potentially allowing hackers to access that sensitive data, according to screenshots and data obtained by 404 Media […]
The set of credentials provided access to a logging platform, which in turn contained links to data related to specific people who had uploaded their identity documents, Hussein showed. The accessible information includes the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license. A subsequent link then includes an image of the identity document itself; some of those are American drivers’ licenses.
The credentials exposed appear to belong to a network manager at the company.
404 Media downloaded these credentials and found the name matched that of someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX. The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself.
Despite having been alerted to the issue, the company failed to immediately block access.
404 Media first contacted AU10TIX for comment on June 13. Around a week later, AU10TIX said “the incident you cited happened over 18 months ago. A thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded.” In fact, the credentials to the logging platform still worked as of this month, Hussein said. When 404 Media relayed this information back to AU10TIX, the company then said it was decommissioning the relevant system, more than a year after the credentials were first exposed on Telegram.
The company claims that no personal data was obtained, but given that the credentials were shared in Telegram channels used by hackers, and have worked for more than a year, this seems questionable.
Image: 9to5Mac collage of images from Wikimedia/CC4.0 and James Lee on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments