Hey Travis, Joseph here with the big warning shot: the company that provides ID verification services for TikTok, Uber, X, and many more tech companies was hacked. The breach was from a cybersecurity researcher who wanted to warn the company about their exposed credentials. I've seen the data, and it is not good: real peoples' identity documents and the results of verification checks. As we move towards an internet that is asking more of us to verify our identities, this shows companies providing those services could absolutely be targeted.

A company that verifies the identities of TikTok, Uber, and X users, sometimes by processing photographs of their faces and pictures of their drivers’ licenses, exposed a set of administrative credentials online for more than a year potentially allowing hackers to access that sensitive data, according to screenshots and data obtained by 404 Media.

The Israel-based company, called AU10TIX, offers what it describes on its website as “full-service identity verification solutions.” This includes verifying peoples’ identity documents, conducting “liveness detection” in a real-time video stream with the user, and performing age verification, where a service will predict how old someone is based on their uploaded photo. AU10TIX also includes the logos of other companies on its site, such as Fiverr, PayPal, Coinbase, LinkedIn, and Upwork, some of which confirmed to 404 Media they are active or former AU10TIX clients.

The news comes as more social networks and pornography sites move towards an identity or age verification model, in which users are required to upload their real identity documents in order to access certain services. The breach highlights that identity services could themselves become a target for hackers. The cybersecurity researcher did not distribute the data beyond providing screenshots and some data to 404 Media for verification purposes.

“My personal reading of this situation is that an ID Verification service provider was entrusted with people's identities and it failed to implement simple measures to protect people's identities and sensitive ID documents,” Mossab Hussein, chief security officer at cybersecurity firm spiderSilk, and who alerted 404 Media to the exposed credentials, said.

The set of credentials provided access to a logging platform, which in turn contained links to data related to specific people who had uploaded their identity documents, Hussein showed. The accessible information includes the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license. A subsequent link then includes an image of the identity document itself; some of those are American drivers’ licenses.

The data also appears to include results from AU10TIX’s verification process, with a field for “liveness” reading “true”; the “probability” of that conclusion on a scale of 0 to 1, with a potential result being 0.9486029; and other fields called “DocumentAuthenticity” and “OverallQuality.” More results appear to relate to AU10TIX’s comparison of a photo of the person’s face to their uploaded document, with another section referencing a photo called “PhotoForFaceComparison.jpg.” 

Another screenshot from the tool shows a line chart with one axis labeled “clientOrganizationName.” That axis includes “TikTok_Shop_Creator,” “Impersonation_XCorp,” and “uber-carshare-passport,” apparent references to the three tech giants. 

None of those companies responded to multiple requests for comment from 404 Media. In September, X said it was partnering with AU10TIX for the social network’s government ID-based account verification. In 2020, AU10TIX published a press release saying it was working with Uber.  

The credentials appear to have been harvested by malware in December 2022, and first posted to a Telegram channel in March 2023, according to timestamps and messages from the Telegram channel that posted the credentials online. 404 Media downloaded these credentials and found the name matched that of someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX. The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself. 404 Media did not use the credentials in any way.

“My personal reading of this situation is that an ID Verification service provider was entrusted with people's identities and it failed to implement simple measures to protect people's identities and sensitive ID documents.”

These streams of stolen credentials from “infostealer” malware—many of which are freely distributed on Telegram every day—have become the first step in multiple high profile data breaches. Cybersecurity firm Mandiant published a report earlier this month that says hackers have used credentials for Snowflake, a data warehousing tool, to then target multiple organizations. Mandiant said it found hundreds of customer Snowflake credentials exposed via infostealers since 2020. 404 Media also downloaded multiple sets of harvested credentials from Telegram earlier this year, long before the Snowflake breaches, to investigate the issue of infostealer feeds. The dumps included credentials from people associated with a dizzying array of tech companies. At the time, many of those companies told 404 Media they had already dealt with those security issues.

Having these credentials freely available on Telegram dramatically lowers the barrier to entry for hackers to breach organizations. Rather than going through the laborious process of installing malware onto a target themselves, such as an employee laptop, they can simply piggyback off someone else who has already done that work. These secondary hackers take the credentials, log in, and if successful, steal data or attempt to extort the victim.

“I believe threat actors have become more aggressive in targeting organizations of all types simply because stolen credentials (arising from infostealer malware infections) have possibly become the easiest path to an organization's crown jewels and most sensitive datasets. As a threat actor, you just let yourself in, through the main door,” Hussein said.

Discovering the existence of exposed credentials is one thing; verifying they work by logging in and then viewing company data is another, which carries ethical and legal issues. Hussein said he took his step because “seeing the potential impact of such exposure and the damage it could cause to people if their identities are stolen, I felt responsibility to alert the company, and then discuss this incident publicly to help raise awareness around such risk.”

404 Media first contacted AU10TIX for comment on June 13. Around a week later, AU10TIX said “the incident you cited happened over 18 months ago. A thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded.” In fact, the credentials to the logging platform still worked as of this month, Hussein said. When 404 Media relayed this information back to AU10TIX, the company then said it was decommissioning the relevant system, more than a year after the credentials were first exposed on Telegram.

In an updated statement, AU10TIX said “While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers' security is of the utmost importance, and they have been notified.” The company added it will “continue the decommissioning process of the relevant operational system, replacing it with a new system,” and further harden the company’s security. 

A spokesperson for Upwork, whose logo is included on AU10TIX’s website, told 404 Media in an email that the company “used Au10tix in the past, but we have been working with a different service provider for some time now.” A Fiverr spokesperson said “we are a client of AU10TIX. We have not been informed of any impact to Fiverr's data at this time.” A Coinbase spokesperson confirmed the company is an active AU10TIX client, and said “We are not aware of any Coinbase data exposure at this time and will continue to monitor the situation.”