Skip to content

Identity Verification Firm Used by X, TikTok, and Uber Exposed Users’ Driver’s Licenses

AU10TIX promised to keep user data safe but the company appears to have badly bungled its own security.

A prominent identity verification firm that has contracted with TikTok, Uber, X, and other large platforms, left a set of administrative login credentials exposed to the internet for more than a year, according to a report from 404 Media. The credentials could have allowed a bad actor to access sensitive user information, including images of Americans’ driver’s licenses, the outlet writes.

The company in question, AU10TIX, provides login and ID verification services. We wrote about it last year, as it was partnering with X (formerly Twitter). At the time, Elon Musk was rolling out a number of new, controversial features, including optional user verification for Blue subscriber accounts.

To verify users on sites like X, AU10TIX asks for a number of identifying data points, including selfies and pictures of government-issued IDs. These data points help a company confirm that a user is a real person and not a bot, but they can become a privacy liability in a situation like this.

404 Media writes that the debacle started because an AU10TIX staffer’s login credentials were harvested by malware in 2022 and later posted to a Telegram channel. The outlet was initially alerted to the situation by a cybersecurity researcher. The name associated with the stolen credentials matched the name of a person on LinkedIn who is listed as a Network Operations Center Manager at AU10TIX, 404 writes. The credentials allowed entry into a logging platform, where data related to the users of some client platforms appeared to be visible. The cybersecurity researcher provided screenshots of the data that could be accessed using the credentials, and 404 breaks it down like this:

The accessible information includes the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license. A subsequent link then includes an image of the identity document itself; some of those are American drivers’ licenses.

Gizmodo reached out to AU10TIX for comment and will update this story if it responds. When reached for comment by 404 Media, the company told the outlet that “the incident you cited happened over 18 months ago. A thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded.” However, 404 Media claims that, according to the security researcher, the credentials still worked as of this month. When confronted with that information, AU10TIX said it was “decommissioning the relevant system” linked to the credentials.

On the topic of user data potentially having been accessed, the company said: “While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers’ security is of the utmost importance, and they have been notified.”

According to AU10TIX’s website, it has partnered with many other large, prominent platforms and brands, including PayPal, LinkedIn, Coinbase, eToro, and UpWork, among others.

You May Also Like

Mode

Follow us