Identity verification company AU10TIX kept a set of admin credentials exposed for more than a year, possibly allowing threat actors to steal its customers’ sensitive data.
AU10TIX verifies user identities on behalf of its clients, which include, among others, TikTok, X, and Uber, via selfie pictures and scans of people’s driver’s licenses.
Cybersecurity researchers from spiderSilk were the first (among white hat researchers) to stumble upon the credentials. They claim that the login information grants access to a logging platform, where access to the identity documents is unabated.
Stolen credentials
“My personal reading of this situation is that an ID Verification service provider was entrusted with people’s identities and it failed to implement simple measures to protect people’s identities and sensitive ID documents,” said Mossab Hussein, the chief security officer at spiderSilk.
Unfortunately, it seems that malicious players beat spiderSilk to the punch, as account information was probably picked up by a piece of malware in December 2022, and shared via Telegram in March 2023.
If someone did access this database (which AU10TIX claims was not abused in the wild), they would have gotten access to people’s names, birth dates, nationalities, ID numbers, and images of their faces. This is more than enough to run successful identity theft of phishing attacks. Such data is also quite expensive on the black market, too.
AU10TIX said it notified the affected customers and that it is replacing the current operating system with a new one, with more focus on security.
It signed X as a client in September 2023, when we reported that the company had a clean rap sheet, without any public data breaches. As such, it was seen as a good choice for the social media behemoth. We did, however, said we’d remain skeptical given Musk’s controversial decisions in the past, and we were most definitely right.
Via 404 Media
+ There are no comments
Add yours