X, Coinbase User Data Potentially Exposed As KYC Provider AU10TIX Left Admin Credentials Open for 18 Months
AU10TIX, an Israel-based ID verification and compliance platform hired to verify user identities at X (formerly Twitter) last September, left a set of administrative credentials exposed for over 18 months, according to cybersecurity researchers at spiderSilk, who broke the story to 404 Media.
- The exposed admin credentials provided access to a logging platform containing links to identity documents, including user names, dates of birth, nationalities, ID numbers, and images of uploaded documents.
The leak occurred in December 2022, and it is believed that malware accessed the admin account. The account details have been shared in Telegram hacker communities since March 2023.
- A spiderSilk security researcher was able to access customer data from at least one of the platform’s clients using the credentials, showing that the data was accessible to anyone with the leaked credentials. The credentials were still functional as of last month, the researcher said.
"404 Media downloaded these credentials and found the name matched that of someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX. The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself," was stated in the report.
- According to the firm's website and related reports, AU10TIX has worked with many notable companies over unspecified periods of time, including TikTok, X, Coinbase, PayPal, Upwork, Uber, LinkedIn, Fiverr, Google, Airbnb, Santander, eToro, Payoneer, and Saxo Bank.
AU10TIX has issued a statement on the matter, claiming that the "data was potentially accessible" but "after a detailed security review, we concluded that there was no malicious activity and no data leakage from our system."
- No signs of identity theft have been reported so far, but users who have verified their accounts on any of these platforms are recommended to treat the situation seriously. Coinbase also denied any knowledge of a breach of its customers’ data associated with AU10TIX.
"Age verification systems are surveillance systems. Mandating them forces websites to require visitors to submit information such as government-issued identification to companies like AU10TIX. Hacks and data breaches of this sensitive information are not a hypothetical concern; it is simply a matter of when the data will be exposed, as this breach shows," the EFF wrote in response to the report.
404 Media Report (Paywalled) / Archive
Engadget Article / Archive
Gizmodo Article / Archive
EFF Article / Archive