Authenticator for X, TikTok Exposes Personal User Info for 18 Months

Swaths of personal data and documents belonging to users of the world's most popular apps have been exposed online for well over a year now, and may have leaked to cybercriminals a while ago.

The company responsible for the leak, AU10TIX, is based in a suburb of Tel Aviv and specializes in identity verification via personal documents, biometrics, and more. Its customers include major companies like X, TikTok, LinkedIn, Coinbase, eToro, PayPal, Fiverr, Upwork, Bumble, Uber, and others.

Recently, a security researcher discovered exposed credentials that belonged to a network operations center manager at AU10TIX. They included the manager's passwords and tokens for various accounts, including an AU10TIX logging platform, where the company handled data belonging to individuals whose identities it had vetted.

The Extent of the Damage

The logging platform data included names, birth dates, nationalities, and images of ID documents such as driver licenses and passports.

Though the researcher limited his snooping, some data fields appeared to indicate the nature and purpose of the stored data, such as a chart with values such as "Impersonation_XCorp" and "uber-carshare-passport."

He also found proprietary data from the innards of the company's verification tech. One table, for example, contained results of live face scans, with a field rating the "probability" that the user's face was "live" on a scale from 0 to 1. Others measured the authenticity of documents and photos of faces.

Crucially, the exposed credentials seem to have been sucked up by malware back in December 2022, and posted to Telegram in March 2023.

In statements to 404media, AU10TIX initially claimed that "a thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded." When the publication informed the vendor that the credentials were still exposed online as of this month, 18 months after the fact, the company said it would work to take down the exposed logging system. It also claimed to have notified affected customers, and highlighted that "based on our current findings, we see no evidence that such data has been exploited."

The Catch-22 for App Users

Customers today are faced with an unfortunate choice (if it can even be considered a choice). Whether it be a cryptocurrency or payments, social media or dating, in order to use popular apps today, you often must hand over extra-sensitive information and documents that prove your identity. At the same time, you don't have any control over how that information and those documents are processed and stored.

Is there no way to achieve app security without a cost to personal security?

"Companies can adopt several methods for verifying identities that minimize the need to store sensitive documents and personally identifiable information," says Jason Soroko, senior vice president of product at Sectigo. "One approach is tokenization, which involves storing tokens or hashed values representing the documents instead of the actual documents. This reduces the risk in case the storage system is compromised."

"Another method uses zero-knowledge proofs, a cryptographic technique that allows one party to prove to another that they know a value without conveying any information beyond the fact that they know the value. "This can verify identity without exposing the actual data," Soroko explains. "Additionally, decentralized identity verification leverages blockchain technology, enabling users to control their identity information and share only the necessary parts with services that require verification, thereby enhancing privacy and security.

"These methods, while enhancing security and privacy, require careful implementation and ongoing management to avoid introducing new vulnerabilities."