A company that verifies the identities of TikTok, Uber, and X users, sometimes by processing photographs of their faces and pictures of their drivers’ licenses, exposed a set of administrative credentials online for more than a year potentially allowing hackers to access that sensitive data, according to screenshots and data obtained by 404 Media.

The Israel-based company, called AU10TIX, offers what it describes on its website as “full-service identity verification solutions.” This includes verifying peoples’ identity documents, conducting “liveness detection” in a real-time video stream with the user, and performing age verification, where a service will predict how old someone is based on their uploaded photo. AU10TIX also includes the logos of other companies on its site, such as Fiverr, PayPal, Coinbase, LinkedIn, and Upwork, some of which confirmed to 404 Media they are active or former AU10TIX clients.

The news comes as more social networks and pornography sites move towards an identity or age verification model, in which users are required to upload their real identity documents in order to access certain services. The breach highlights that identity services could themselves become a target for hackers. The cybersecurity researcher did not distribute the data beyond providing screenshots and some data to 404 Media for verification purposes.

“My personal reading of this situation is that an ID Verification service provider was entrusted with people’s identities and it failed to implement simple measures to protect people’s identities and sensitive ID documents,” Mossab Hussein, chief security officer at cybersecurity firm spiderSilk, and who alerted 404 Media to the exposed credentials, said.

  • @[email protected]
    link
    fedilink
    English
    60
    edit-2
    6 months ago

    What? The thing that literally everyone warned about in regards to requiring ID verification happened!?! WHO COULD HAVE SEEN THIS COMING?!

    • @0110010001100010
      link
      186 months ago

      Makes me think of the skydiving scene in Deadpool 2 where pretty much the entire team dies and Wade asks who could have seen that coming? I think it was Domino that responds with everyone, everyone saw that coming.

      • @cheese_greater
        link
        76 months ago

        everyone saw that coming

        At the end anyway, if not at the start

  • @foggy
    link
    466 months ago

    This is why, Coursera.

    This is why I won’t give you my driver’s license to verify my cybersecurity certificate.

    This is why.

    • @brenticus
      link
      206 months ago

      The irony kills me on this one. I would like to imagine that if you send your ID in they auto-fail you, but I’m sure they’re not that clever.

  • Avid Amoeba
    link
    fedilink
    30
    edit-2
    6 months ago

    No mass ID leak article would be complete without an ad for another online entity that requires ID submissions.

      • EleventhHour
        link
        86 months ago

        It’s quite shocking at this point haw few people use ad blockers

    • @[email protected]
      link
      fedilink
      English
      56 months ago

      Those services feel so shady to me. You’re just paying to deanonymize your data for them. Not to mention I think some of them are straight up owned by the data brokers you’re supposedly having your data deleted from.