The AU10TIX case: millions of records exposed in a security breach affecting major apps

A leading identity verification provider, AU10TIX, has exposed sensitive information from customers of companies such as X, TikTok, Coinbase, and Uber. The extensive breach, discovered in June 2024, spanned a year and a half, according to investigations.

The origin of the data breach  

A

U10TIX, an Israeli company specialising in digital identity verification, suffered a serious security breach that exposed the personal data of millions of users of its clients. Among the affected clients are some of the world’s most popular companies, including X, TikTok, LinkedIn, Coinbase, eToro, PayPal, Fiverr, Upwork, Bumble, and Uber. 

The breach was discovered when a security researcher found exposed credentials belonging to an AU10TIX employee. These credentials included passwords and tokens for accessing various company accounts, including a logging platform where the data of verified users was stored. According to investigations, these credentials were stolen in December 2022 and posted on Telegram in March 2023. 

The logging platform contained a vast amount of personal information: names, birth dates, nationalities, and images of identity documents such as driving licences and passports. Additionally, internal data from AU10TIX’s verification technology was found, including results of facial scans and authentication metrics for documents and photos. A massive security hole with unpredictable long-term consequences. 

Who are AU10TIX 

The company that eventually became AU10TIX, ICTS International, was founded in 1982 as a provider of document authentication services at airports. Starting in 2002, it expanded into digital verification services and created the company that would become AU10TIX in 2013. This organisation offers solutions for biometric verification, verifiable credentials, workflow orchestration, age verification, deepfake detection, and more. 

The data leak from AU10TIX is a severe blow to user privacy, as users are likely unaware that their most sensitive personal information has been shared. 

AU10TIX defended itself by claiming to have taken measures to mitigate the damage and insisted there was no evidence that the data had been maliciously used. The reality, however, is that the exposed data could be used by cybercriminals for various illicit purposes, such as identity theft, financial fraud, or even blackmail. 

What do these serious incidents have in common 

Despite the differences in the affected companies, the exposed data, and the techniques used by cybercriminals, the major data breach incidents that periodically make the news share some common characteristics. It’s worth reviewing these weak points and noting that TrustCloud has never experienced a data breach. 

Failures in Basic Security: In many cases, data breaches occur due to basic security failures, such as the use of weak passwords, lack of multi-factor authentication, or inadequate security measures to protect stored data. 

• Human errors: Human errors, such as clicking on phishing links, losing portable devices, or incorrectly configuring systems, are also common factors in data breaches. 

• Sophisticated attacks: Cybercriminals are using increasingly sophisticated techniques to gain access to computer systems and steal data. This includes malware attacks, targeted phishing attacks, and zero-day attacks—a type of attack that exploits a software vulnerability unknown to the software developer and the security community. This means that attackers are the first to discover and exploit the vulnerability, giving them a significant advantage over defenders. 

• Third-Party exploitation: Often, data breaches occur through external vendors or partners who have access to company data. This highlights the importance of third-party risk management and the need to implement adequate security measures to protect the data supply chain. 

• Lack of transparency: Many companies are not transparent about the data breaches they suffer, making it difficult for users to take protective measures. It is important for companies to communicate security incidents in a timely and transparent manner and provide users with information on how they can protect their data. Providing opaque information or denying the facts will generate distrust and affect the company’s credibility. 

• Lack of accountability: Often, there are no significant consequences for companies that suffer data breaches. This creates an incentive for companies not to invest sufficiently in data security. Stricter regulations and harsher penalties are needed to deter companies from neglecting data protection. 

Security in identity verification as an ongoing project  

This incident underscores the need for companies to adopt more secure identity verification methods that minimize the need to store sensitive data. Tokenization, zero-knowledge proofs, and decentralized identity verification are some alternatives that can help protect user privacy without compromising security. 

It is crucial for users to also be aware of the risks associated with sharing their personal data online and take steps to protect their information, such as using strong passwords, enabling multi-factor authentication (MFA), and being vigilant against any suspicious activity in their accounts. 

Only through the adoption of robust security practices covering data acquisition, storage, and a proactive approach to privacy protection can we ensure that our personal information remains secure. 

Learn about our attack-proof and data breach-proof project