AU10TIX, an identity verification company operating out of Israel and serving prominent clients like TikTok and more recently Elon Musk’s X, was found to have inadvertently left sensitive user information vulnerable after administrative credentials were exposed online, according to a report from 404 Media.
The company, known for processing photos and drivers’ licenses to verify identities, allegedly had this security lapse exposed by cybersecurity firm spiderSilk, revealing a potential goldmine for hackers.
The exposed data, accessible for over a year, included not only basic identity details such as names, birth dates, and nationalities but also images of the identity documents themselves, such as drivers’ licenses. This breach underscores a growing concern as more platforms, including social networks and adult content sites, demand real identity verification from users, increasing the risk of personal data exposure.
Further complicating the issue, AU10TIX’s services involve sophisticated processes like “liveness detection” and age estimation through photo analysis, indicating the depth of data potentially compromised.
The breach was first detected when credentials stolen by malware were found on a Telegram channel. This channel had posted these credentials in March 2023, despite them being harvested back in December 2022. These included passwords and tokens for various services, which 404 Media suggests deepens concerns.
In a statement, AU10TIX said “While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers’ security is of the utmost importance, and they have been notified.”
X, formerly known as Twitter, has recently introduced a new policy requiring users who earn through its platform—via advertising or paid subscriptions—to verify their accounts using government-issued IDs.
This move, facilitated through a partnership with Au10tix was designed to reduce impersonation and fraud. But starting immediately for new creators and by July 1, 2024, for existing ones, the policy aims to enhance authenticity and secure user transactions.
However, it also sparks significant privacy and free speech concerns, as the platform is recognized for championing free expression—a principle often supported by the ability to remain anonymous.
The implementation of mandatory government ID verification by X is part of a wider trend towards digital ID verification in the online and political arenas, raising questions about the impact on free speech and anonymity.
While the intent behind such policies is to improve security and authenticity, they risk infringing on the fundamental rights to privacy and anonymous speech, essential for activists, whistleblowers, and those critical of their governments.