A data breach has struck AU10TIX, an identity verification service used by major platforms including TikTok, Uber, and X (formerly Twitter), underscoring the inherent privacy and security risks of such services.
According to an exclusive report by 404 Media, administrative credentials left exposed for over a year allowed unauthorized access to sensitive user information, emphasizing the inherent privacy dangers in mandated identity verification laws.
AU10TIX, an Israeli company specializing in identity verification solutions, processes various personal documents such as driver’s licenses and photographs for clients like TikTok, Uber, and X. The breach, discovered by cybersecurity researcher Mossab Hussein of spiderSilk, exposed credentials that provided access to a logging platform. This platform contained links to the personal data of individuals who had uploaded identity documents, including names, birthdates, nationalities, identification numbers, and images of their IDs.
The exposed credentials were reportedly harvested by malware in December 2022 and posted to a Telegram channel in March 2023. Hussein noted that despite AU10TIX's claims of rescinded access, the credentials remained active until recently.
AU10TIX acknowledged the incident, stating it occurred over 18 months ago and that measures were taken to rescind the compromised credentials. AU10TIX assured that they have started decommissioning the affected system and replacing it with a more secure solution. However, the ongoing accessibility of these credentials until June 2024 raises questions about the company's security practices and honesty in general.
Platforms like Upwork and Fiverr, listed on AU10TIX’s website, have responded to the breach with varying levels of concern. While Fiverr remains a client, Upwork has moved to a different service provider. Coinbase, another client, stated it is monitoring the situation and is unaware of any data exposure.
ID verification as another point of risk
This breach has broader implications as more social networks and websites implement age and identity verification requirements in the U.S. and worldwide. The Electronic Frontier Foundation (EFF) responded strongly, emphasizing that age verification systems pose significant privacy risks.
“Hacks and data breaches of this sensitive information are not a hypothetical concern; it is simply a matter of when the data will be exposed, as this breach shows,” stated Jason Kelley from the EFF.
EFF's concerns are magnified by legislative pushes for stricter age verification laws, such as the federal Kids Online Safety Act and California’s Assembly Bill 3080. These laws mandate the collection of personal data, which, if breached, can lead to severe consequences like:
- Identity theft
- Fraud
- Blackmail
- Loss of anonymity
The AU10TIX incident is a stark reminder of the potential fallout from such mandates.
The breach underscores the need for more robust cybersecurity measures and a reevaluation of policies requiring extensive data collection to use online services. As hackers target identity verification services, minimizing unnecessary data collection and enhancing protective measures are crucial to safeguarding user privacy and security.
Unfortunately, there’s not much internet users can do to mitigate the risk of data exposure while also complying with legal requirements on identity verification. More often than not, going through a verification process on a platform, no matter how trusted and reputable, means indirectly submitting your data to unknown entities like AU10TIX.
mel
I don’t ever give out my real name and birthdate to online platforms, and if sending a picture of my government issued id held next to my face is required I pass.
It is also too easy for someone part of the organization to pass on doxing information if you’ve managed to attract the negative attention of an activist organization – the type of people who would 4 on 1 beat you down while yelling “stop hitting me” as they are kicking your ribs in.
Sven
It’s mid-2024, and it feels like no corporations are taking privacy and cybersecurity threats seriously. They’re just buying insurance to cover any losses or passing them down to stakeholders, with no one facing jail time for lax security measures.
In fact, most people only start caring about privacy after experiencing the fallout of identity theft. We live in some very strange times.
BITR
Supreme Court will take up case on porn age verification laws in Texas.
[https://19thnews.org/2024/07/supreme-court-porn-id-law/]
It is unlikely that the Texas state attorney general will use these laws to go after bookstores, which technically distribute content online, or Hollywood streaming sites like Netflix, but the laws are potentially broad enough to apply to a wide range of businesses.
Age verification bills have gained traction since Louisiana passed a law in 2022. Nineteen states have passed age verification bills, according to a tracker from the Free Speech Coalition, the adult industry’s trade group, which is one of the plaintiffs in this Texas case.
The one-third content rule commonly used among most states’ laws is ill-defined. Kansas’s bill, set to go into effect July 1, lowers the threshold to 25 percent.
In other states, including Louisiana and Utah, the age verification laws also allow adults to sue distributors of adult content for “damages resulting from a minor’s accessing the material,” opening up many different companies to potential liabilities.
Alex Lekander
Interesting, thanks for sharing BITR!
ElmoMust
Alex, what has BITR’s comment about porn have to do with the Data Breach at ID Verification Service Highlights Privacy Dangers?
BITR
ElmoMust, at the time this was the last topic made of the ‘Privacy and Security News’ section. So my post was News and relevant to the section. Forget the porn salting it had. Importantly was for the 1st time in a few states- ‘the age verification laws also allow adults to sue distributors of adult content for “damages resulting from a minor’s accessing the material,” opening up many different companies to potential liabilities.’
Since this topic was about a Data Breach and there are no federal regulations to recoup the victims damages, some states are starting to react.
Making my post relevant to this data breach topic as News.
Thank you for asking = )
A business only faced Punitive damages (punishs a defendant for egregious or reckless behavior), in the past and now they are facing Conservative damages. Latter aims to compensate the plaintiff for the actual costs incurred due to the injury, rather than speculative or hypothetical losses. Personal injury claims,
BITR
Disturbing for sure!
In the US [https://www.dol.gov/] offers ‘Guidance on the Protection of Personal Identifiable Information’, for DOL employees, contractors and contract employees.
Basically, it is the responsibility of the individual user to protect data to which they have access. PII users must adhere to the rules of behavior defined in applicable Systems Security Plans, DOL and agency guidance.
Why is there nothing set in stone for our American nation’s, (border protection), if you will. That a US citizen’s PII information as that permits the identity of an individual, ever leave our great nation!
Treating and securing our nation’s citizen PII data the same as the need to know structure. As our nations defense and space technology secretes.
PII (Personal Identifiable Information) collected on US citizen’s should never leave the shores of the USA. Never, so why does AU10TIX, an Israeli company specializing in identity verification solutions, processes various personal documents such as driver’s licenses and photographs for clients like TikTok, Uber, and X, have US citizen’s PII data access?
Then, when an international company, government or entity has need for a US citizen’s PII data, no real information is shared. Outside of our US borders, but only as an cryptographic hash (reducing agent) of the PII data.
Greatly reducing the inherent privacy dangers in mandated identity verification laws.
Cryptographic hash functions have many information-security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. Indeed, in information-security contexts, cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values, even though all these terms stand for more general functions with rather different properties and purposes.
[https://en.m.wikipedia.org/wiki/Cryptographic_hash_function]
GOOD FIND, Alex