In a concerning turn of events, personal data and documents belonging to users of some of the world’s most popular apps have been left exposed online for more than a year, potentially falling into the hands of cybercriminals. The company at the center of this data leak, AU10TIX, is located in a suburb of Tel Aviv and specializes in identity verification services through personal documents and biometrics. Its clientele includes major companies such as X, TikTok, LinkedIn, Coinbase, and many others.
The breach came to light when a security researcher stumbled upon the exposed credentials of a network operations center manager at AU10TIX, containing passwords and tokens for various accounts, including the company’s logging platform that stored data of individuals whose identities had been verified by AU10TIX. The data on the platform included sensitive information like names, birth dates, nationalities, and images of ID documents like driver licenses and passports. Additionally, the researcher discovered proprietary data related to the company’s verification technology, such as live face scans and authenticity ratings for documents and images.
It is alarming to note that the exposed credentials were reportedly obtained by malware in December 2022 and later shared on Telegram in March 2023. AU10TIX initially claimed that the employee credentials had been accessed illegally but were promptly revoked. However, the credentials remained exposed online even 18 months after the incident. The company assured that affected customers had been informed and stated that there was no evidence of data exploitation based on their current investigations.
The incident raises significant concerns for users of popular apps who are required to provide sensitive information and documents to access these services. The dilemma faced by customers highlights the trade-off between app security and personal security. Is there a way to ensure app security without compromising personal data security?
Jason Soroko, Senior Vice President of Product at Sectigo, suggests that companies can adopt identity verification methods that minimize the need to store sensitive documents. Tokenization, for instance, involves storing tokens or hashed values representing the documents instead of the actual documents, reducing the risk in case of a storage system breach. Another method using zero-knowledge proofs allows verification of identity without revealing the actual data. Decentralized identity verification leveraging blockchain technology enables users to control their identity information and share only necessary details with services requiring verification, thereby enhancing privacy and security.
While these methods offer improved security and privacy, they require meticulous implementation and ongoing management to prevent new vulnerabilities. It is imperative for companies to prioritize data protection and adopt robust security measures to safeguard customer information from potential data breaches and cyber threats.