Id verification firm AU10TIX – utilized by tech giants – left photograph IDs uncovered

If there’s one sort of firm you positively don’t wish to see left weak to hackers it’s an id verification service with entry to photograph ID paperwork like driver’s licenses – however that’s precisely what seems to have occurred with AU10TIX.

The cybersecurity firm’s previous or current purchasers embody PayPal, Coinbase, X, TikTok, Uber, LinkedIn, Upwork, and Fiverr …

Id verification corporations

There are occasions when corporations must positively determine their customers, comparable to complying with cash laundering rules and enabling folks to recuperate their accounts. A standard approach to do that is to require customers to add photograph ID, like a driver’s license or passport.

In some circumstances, corporations moreover ask for a video of the consumer displaying their face from totally different angles so this may be in contrast with the photograph to ID to make sure that it hasn’t fallen into the flawed palms.

Various main corporations select to outsource this job to exterior corporations, and Israel-based AU10TIX is without doubt one of the best-known.

AU10TIX uncovered admin credentials

404 Media stories that AU10TIX inadvertently uncovered admin credentials which allowed entry to a hacker’s treasure trove of non-public knowledge.

[AU10TIX] uncovered a set of administrative credentials on-line for greater than a yr doubtlessly permitting hackers to entry that delicate knowledge, in keeping with screenshots and knowledge obtained by 404 Media […]

The set of credentials offered entry to a logging platform, which in flip contained hyperlinks to knowledge associated to particular individuals who had uploaded their id paperwork, Hussein confirmed. The accessible info consists of the particular person’s title, date of delivery, nationality, identification quantity, and the kind of doc uploaded comparable to a drivers’ license. A subsequent hyperlink then consists of a picture of the id doc itself; a few of these are American drivers’ licenses.

The credentials uncovered seem to belong to a community supervisor on the firm.

404 Media downloaded these credentials and located the title matched that of somebody who lists their position on LinkedIn as a Community Operations Middle Supervisor at AU10TIX. The file contained a wealth of passwords and authentication tokens for numerous providers utilized by the worker, together with instruments from Salesforce and Okta, in addition to the logging service itself. 

Regardless of having been alerted to the problem, the corporate failed to right away block entry.

404 Media first contacted AU10TIX for touch upon June 13. Round per week later, AU10TIX stated “the incident you cited occurred over 18 months in the past. An intensive investigation decided that worker credentials have been illegally accessed then and have been promptly rescinded.” In actual fact, the credentials to the logging platform nonetheless labored as of this month, Hussein stated. When 404 Media relayed this info again to AU10TIX, the corporate then stated it was decommissioning the related system, greater than a yr after the credentials have been first uncovered on Telegram.

The corporate claims that no private knowledge was obtained, however on condition that the credentials have been shared in Telegram channels utilized by hackers, and have labored for greater than a yr, this appears questionable.

Picture: 9to5Mac collage of pictures from Wikimedia/CC4.0 and James Lee on Unsplash