This week's dispatch from the Ministry of Intrigue
Hello, faithful reader.
We published the following fresh dispatch this week:
404 Media on AU10TIX Privacy Breach
June 26, 2024, 11:50 a.m.
Another day, another privacy breach. This time from Israeli identity verification service, AU10TIX, which is used by sites such as Coinbase, Fiverr, LinkedIn, PayPal, TikTok, Uber, Upwork, and X (formally Twitter1).
The credentials appear to have been harvested by malware in December 2022, and first posted to a Telegram channel in March 2023, according to timestamps and messages from the Telegram channel that posted the credentials online. 404 Media downloaded these credentials and found the name matched that of someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX. The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself. 404 Media did not use the credentials in any way.
— Joseph Cox, ID Verification Service for TikTok, Uber, X Exposed Driver Licenses
It also contains a gem of a quote from Mossab Hussein, the security professional that alerted 404 Media to the breach.
My personal reading of this situation is that an ID Verification service provider was entrusted with people’s identities and it failed to implement simple measures to protect people’s identities and sensitive ID documents.
Utterly irresponsible.
R.I.P. ↩︎
Grave dust and falling leaves.