[ad_1]
\n<\/p>\n
An ID verification company that works on behalf of TikTok, X and Uber, among others, has left a set of administrative credentials exposed for more than a year, <\/em><\/a>. The Israel-based AU10TIX verifies the identity of users by using pictures of their faces and drivers\u2019 licenses, potentially opening up both to hackers.<\/p>\n \u201cMy personal reading of this situation is that an ID Verification service provider was entrusted with people’s identities and it failed to implement simple measures to protect people’s identities and sensitive ID documents,\u201d Mossab Hussein, the chief security officer at cybersecurity firm spiderSilk who originally noticed the exposed credentials, said.<\/p>\n The set of admin credentials that were left exposed led right to a logging platform, which in turn included links to identity documents. There\u2019s even some reason to suspect that bad actors got ahold of these credentials and actually used them.<\/p>\n They appear to have been scooped up by malware in December 2022 and placed on a Telegram channel in March 2023, according to timestamps and messages acquired by 404 Media<\/em>. The news organization downloaded the credentials and found a wealth of passwords and authentication tokens linked to someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX.<\/p>\n If hackers got ahold of customer data, it would include a user\u2019s name, date of birth, nationality, ID number and images of uploaded documents. It\u2019s pretty much all an internet gollum would need to steal an identity. All they would have to do is snatch up the credentials, log in and start wreaking havoc. Yikes.<\/p>\n AU10TIX has issued a statement on the matter, writing that the \u201cdata was potentially accessible\u201d but that it sees \u201cno evidence that such data has been exploited.\u201d The company said that impacted customers have been notified and that it\u2019s decommissioning the current operating system in favor of a new one that focuses more on security.<\/p>\n Some of its partners switched verification companies before this issue popped up. A spokesperson for Upwork said that it has \u201cbeen working with a different service provider for some time now.\u201d X, however, just signed up with AU10TIX <\/a> and it uses government-issued IDs to verify premium users<\/a>. Others, like Fiverr and Coinbase have said they aren\u2019t aware of any data exposure, though they still work with AU10TIX.<\/p>\n Dumping customer data on Telegram or on the dark web has become the most popular way for hackers to do their thing. Back in late March, over 73 million AT&T passwords <\/a>. LoanDepot <\/a>, as did the <\/a>.<\/p>\n<\/div>\n