Widely-Used Authentication Service Exposed Data
July 17, 2024
You probably have never heard of AU10TIX, but big companies including Uber, TikTok, X, Fiverr, Coinbase, LinkedIn, and Saxo Bank have. It is a data broker that offers an authentication service validating the identities of companies’ users, and its information was recently compromised, as Pieter Arntz, writes in MalwareBytes.
An internet researcher found that AU10TIX had inadvertently left data exposed that came from people who uploaded documents to prove their identity. Anyone who accessed the platform could copy the information, including name, date of birth, nationality, and the type of uploaded document, such as a driver’s license. Bad actors could also link to an image of the identifying document.
Arntz notes that as legislation proliferates requiring websites and platforms such as social networks and porn sites to verify their users’ age, the demand for authentication companies like AU10TIX’s service rises.
The likely source of the credentials that enabled the breach was an infostealer placed on the computer of a Network Operations Center Manager at AU10TIX. Stolen credentials such as that have already facilitated breaches, including the ones associated with the Snowflake cloud service breach.
The article says that there are around 480 data brokers like AU10TIX registered with the California Privacy Protection Agency. There might be many more because there are small players active in data brokering that keep a low profile.
The article includes some general tips on what individuals should do if their data has been compromised:
- Check with the vendor, and follow any specific advice they offer
- Change your password
- Enable two-factor authentication, but be aware that some forms of two-factor authentication can be phished just as easily as a password
- Consider not storing your card details on vendor platforms
- Set up identity monitoring alerts if your personal information is being traded illegally online
AU10TIX said it was no longer using the compromised authentication service and had no evidence the stolen data had been exploited.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.