A prominent identity verification company that has contracts with TikTok, Uber, X and other big platforms left behind a set of administrative login credentials. exposed to the Internet for more than a year, according to a report of 404 Average. The credentials could have allowed a bad actor to access sensitive user information, including images of Americans’ driver’s licenses, the outlet writes.
Why your clothes shrink when you wash them (and how you can avoid it)
The company in question, AU10TIX, provides login and identity verification services. We wrote about it last year, as was associated with X (formerly Twitter). At the time, Elon Musk was rolling out a number of controversial new features, including optional user verification for Blue subscriber accounts.
To verify users on sites like X, AU10TIX asks for a series of identifying data points, including selfies and images of government-issued IDs. These data points help a company confirm that a user is a real person and not a robot, but they can become an element of privacy. responsibility in a situation like this.
404 Media writes that the debacle began because an AU10TIX employee’s login credentials were harvested by malware in 2022 and then posted on the Telegram channel. The outlet was initially alerted to the situation by a cybersecurity researcher. The name associated with the stolen credentials matched the name of a person on LinkedIn who is listed as a network operations center manager at AU10TIX, writes 404. The credentials allowed entry into a registry platform, where data related to users from some client platforms seemed visible. The cybersecurity researcher provided screenshots of the data that can be accessed using the 404 credentials and breaks it down like this:
Accessible information includes the person’s name, date of birth, nationality, ID number, and the type of document uploaded, such as a driver’s license. A subsequent link includes an image of the ID document itself; some of these are U.S. driver’s licenses.
Gizmodo has contacted AU10TIX for comment and will update this story if he responds. When contacted by 404 Media for comment, the company told the outlet that “the incident you cited occurred over 18 months ago. “A thorough investigation determined that employee credentials were illegally accessed and then immediately terminated.” However, 404 Media claims that, according to the security researcher, the credentials were still working as of this month. When confronted with that information, AU10TIX said it was “dismantling the relevant system” linked to the credentials.
On the topic of possible access to user data, the company said: “While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. “The safety of our customers is of utmost importance and they have been notified.”
According to AU10TIX websitehas partnered with many other large and prominent platforms and brands, including PayPal, LinkedIn, Coinbase, eToro, and UpWork, among others.
This content has been automatically translated from the original material. Due to the nuances of machine translation, there may be slight differences. For the original version, click here.
