Subj : An ID verification service for TikTok, Uber and X reportedly left To : All From : TechnologyDaily Date : Thu Jun 27 2024 19:45:05 An ID verification service for TikTok, Uber and X reportedly left its credentials open for a year Date: Thu, 27 Jun 2024 18:39:52 +0000 Description: Hackers had easy access to people's driver's license info, and more, courtesy of circulating admin credentials. FULL STORY ====================================================================== Identity verification company AU10TIX kept a set of admin credentials exposed for more than a year, possibly allowing threat actors to steal its customers sensitive data. AU10TIX verifies user identities on behalf of its clients, which include, among others, TikTok, X, and Uber, via selfie pictures and scans of peoples drivers licenses. Cybersecurity researchers from spiderSilk were the first (among white hat researchers) to stumble upon the credentials. They claim that the login information grants access to a logging platform, where access to the identity documents is unabated. Stolen credentials My personal reading of this situation is that an ID Verification service provider was entrusted with people's identities and it failed to implement simple measures to protect people's identities and sensitive ID documents, said Mossab Hussein, the chief security officer at spiderSilk. Unfortunately, it seems that malicious players beat spiderSilk to the punch, as account information was probably picked up by a piece of malware in December 2022, and shared via Telegram in March 2023. If someone did access this database (which AU10TIX claims was not abused in the wild), they would have gotten access to peoples names, birth dates, nationalities, ID numbers, and images of their faces. This is more than enough to run successful identity theft of phishing attacks. Such data is also quite expensive on the black market, too. AU10TIX said it notified the affected customers and that it is replacing the current operating system with a new one, with more focus on security. It signed X as a client in September 2023, when we reported that the company had a clean rap sheet, without any public data breaches. As such, it was seen as a good choice for the social media behemoth. We did, however, said wed remain skeptical given Musks controversial decisions in the past, and we were most definitely right. Via 404 Media More from TechRadar Pro Thousands of websites told to ditch Polyfill service after Chinese hackers hijack it to serve malware Here's a list of the best firewalls today These are the best endpoint protection tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/an-id-verification-service-for-tiktok-u ber-and-x-reportedly-left-its-credentials-open-for-a-year --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .