A company that helps to authenticate users for big brands had a set of administration credentials exposed online for over a year, potentially allowing access to user identity documents such as driving licenses.

As more and more legislation emerges requiring websites and platforms—like gambling services, social networks, and porn sites—to verify their users’ age, the requirement for authentication companies offering that service rises.

You may never have heard of the Israeli based authentication company, AU10TIX, but you will certainly recognize some of its major customers, like Uber, TikTok, X, Fiverr, Coinbase, LinkedIn, and Saxo Bank.

AU10TIX checks users’ identities via the upload of a photo of an official document.

A researcher found that AU10TIX had left the credentials exposed, providing 404 Media with screenshots and data to demonstrate their findings. The credentials led to a logging platform containing data about people that had uploaded documents to prove their identity.

Whoever accessed the platform could peruse information about those people, including name, date of birth, nationality, identification number, and the type of uploaded document such as a drivers’ license, linking to an image of the identity document itself.

Research showed that the likely source of the credentials was an infostealer on a computer of a Network Operations Center Manager at AU10TIX.

Stolen credentials have shown to be a major source of breaches like those recently associated with Snowflake. Snowflake pointed to research which found that one cybercriminal obtained access to multiple organizations’ Snowflake customer instances using stolen customer credentials.

Another major problem is that these sets of credentials get traded and sold all the time. And it’s not as if when you sold them once, that’s it. Digital information can be copied and combined endlessly, leading to huge data sets that criminals can use as they see fit.

We’ve talked about the dangers of data brokers in the past. The California Privacy Protection Agency (CPPA) defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses. There are around 480 data brokers registered with the CPPA. However, that might be just the tip of the iceberg, because there are a host of smaller players active that try to keep a low profile.

Either way, for any company and particularly an authentication company working with sensitive data, having such an account accessible with just login credentials should be grounds for serious penalties.

In a statement given to 404 Media, AU10TIX said it was no longer using the system and had no evidence the data had been used:

“While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers’ security is of the utmost importance, and they have been notified.”

For now, there’s not much that individual users of the brands can do apart from keep an eye out for any official statements, and consider an ongoing identity monitoring solution. Below are some general tips on what to do if your data has been part of a data breach:

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your personal data exposure

You can check what personal information of yours has been exposed on our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

This week on the Lock and Code podcast…

A digital form of protest could become the go-to response for the world’s largest porn website as it faces increased regulations: Not letting people access the site.

In March, PornHub blocked access to visitors connecting to its website from Texas. It marked the second time in the past 12 months that the porn giant shut off its website to protest new requirements in online age verification.

The Texas law, which was signed in June 2023, requires several types of adult websites to verify the age of their visitors by either collecting visitors’ information from a government ID or relying on a third party to verify age through the collection of multiple streams of data, such as education and employment status.

PornHub has long argued that these age verification methods do not keep minors safer and that they place undue onus on websites to collect and secure sensitive information.

The fact remains, however, that these types of laws are growing in popularity.

Today, Lock and Code revisits a prior episode from 2023 with guest Alec Muffett, discussing online age verification proposals, how they could weaken security and privacy on the internet, and whether these efforts are oafishly trying to solve a societal problem with a technological solution.

“The battle cry of these people have has always been—either directly or mocked as being—’Could somebody think of the children?’” Muffett said. “And I’m thinking about the children because I want my daughter to grow up with an untracked, secure private internet when she’s an adult. I want her to be able to have a private conversation. I want her to be able to browse sites without giving over any information or linking it to her identity.”

Muffett continued:

“I’m trying to protect that for her. I’d like to see more people grasping for that.”

Alec Muffett

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.