A company that helps TikTok, Uber, and X verify the identity of their users by processing photos of faces and driver’s licenses reportedly exposed administrative credentials online for more than a year, 404 Media reports. As a result, hackers could have gained access to sensitive user data from the ID verification service at any time.
Founded in 2002, AU10TIX is a company based in Hod HaSharon, Israel that describes itself as “the world’s first enterprise solution for identity verification,” and offers a variety of services, from age, address, and biometric verification to deepfake detection.
AU10TIX has since partnered with several major companies to provide its verification services, such as TikTok, X, Bumble, Uber, and Coinbase. For instance, on X, you have to provide both a selfie and a government-issued ID to verify your account. AU10TIX uses the pictures to confirm your identity and stores that data for up to 30 days.
That last point is especially troubling, because 404 Media reports that an AU10TIX employee’s credentials were harvested by malware in September 2022 and shared on a Telegram channel in March 2023. Those credentials would be used to access a logging platform that contained a wealth of user data, including names, dates of birth, nationalities, ID numbers, and the type of documents uploaded. There were also links to images of the documents themselves, which meant a hacker could have seen an untold number of driver’s licenses.
A week after contacting AU10TIX about the breach, 404 Media received the following response: “The incident you cited happened over 18 months ago. A thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded.”
AU10TIX implies that the credentials could no longer be used to access user data following the investigation. spiderSilk chief security officer Mossab Hussein, who first made 404 Media aware of the breach, said that the credentials still worked as of this month.
When 404 Media shared this information, AU10TIX issued a new statement:
While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers’ security is of the utmost importance, and they have been notified.
The ID verification company added that it will continue to decommission the relevant operational system, replace it with a new system, and improve security measures.