Israel-based AU10TIX, which offers identity verification services for TikTok, Uber, and X users, among others, exposed administrative credentials online for over a year, according to a report from 404 Media. The vulnerability potentially allowed hackers access to sensitive data, including photographs of users’ faces and driver’s licenses.
AU10TIX offers identity verification solutions including identity document authentication, real-time liveness detection, and age prediction based on photos. Other companies listed as clients include Fiverr, PayPal, Coinbase, LinkedIn, and Upwork, some of which have confirmed their active or past use of AU10TIX services.
Mossab Hussein, chief security officer at spiderSilk, found the exposed credentials and alerted 404 Media. The compromised credentials allowed access to a logging platform containing links to personal data, including names, birthdates, nationalities, identification numbers, and images of identity documents.
The exposed credentials also revealed AU10TIX’s verification process results. Screenshots showed references to client organizations like TikTok, X, and Uber. The credentials were likely stolen by malware in December 2022 and posted on Telegram in March 2023, according to the report. They included passwords and authentication tokens for various services used by an AU10TIX employee, making them easily accessible to hackers.
Stolen credentials from malware, often shared on Telegram, have facilitated multiple data breaches. Such credentials allow hackers to bypass initial security measures and directly access sensitive data. AU10TIX says it has now begun decommissioning the compromised system and strengthening its security measures.
Source: 404 Media
–
(Previously published on FindBiometrics)
Follow Us