In news that surprises absolutely nobody in the adult industry, one of the major companies that verify people’s IDs has been hacked, and their personal information has been leaked.

This is something that the adult industry has been warning the public about all year long since multiple states demanded users provide their information to these online ID verification companies.

A prominent identity verification firm, AU10TIX, which has partnered with major platforms like TikTok, Uber, and X (formerly Twitter), recently faced a significant security breach. According to a report by 404 Media, administrative login credentials for AU10TIX were exposed to the internet for over a year, potentially compromising sensitive user information, including images of driver’s licenses.

The breach was discovered when a cybersecurity researcher found that login credentials harvested by malware in 2022 were posted on a Telegram channel. The exposed credentials allowed unauthorized access to a logging platform containing user data from various client platforms. This data included names, dates of birth, nationalities, identification numbers, and images of government-issued IDs, such as American driver’s licenses.

• 2022: An AU10TIX staffer’s login credentials were harvested by malware.
• Telegram Channel: The credentials were subsequently posted on a Telegram channel.
• Cybersecurity Alert: A cybersecurity researcher alerted 404 Media about the exposed credentials.
• June 2023: The credentials were reportedly still active, allowing access to sensitive user data.
• Response: AU10TIX claimed the credentials were rescinded 18 months ago and that the incident was thoroughly investigated.

AU10TIX, which provides identity verification services by collecting identifying data points such as selfies and government-issued ID pictures, plays a crucial role in verifying real users on various platforms. However, this incident has highlighted the potential privacy risks associated with such services.

When contacted by 404 Media, AU10TIX stated, “The incident you cited happened over 18 months ago. A thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded.” Despite this claim, the cybersecurity researcher reported that the credentials were still functional as of June 2023. Upon being informed of this, AU10TIX said it was “decommissioning the relevant system” linked to the credentials.

Regarding the potential access to user data, AU10TIX maintained, “While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers’ security is of the utmost importance, and they have been notified.”

The exposure of such sensitive information raises significant concerns about the governance and sophistication of vendors in the identity verification space. Given the high-trust nature of their services, companies like AU10TIX are expected to maintain rigorous security measures. The incident has led to questions about whether such firms carry adequate insurance and employ specialists to ensure thorough remediation of security breaches.

This breach also underscores the broader issue of data security in the age of digital identity verification. As social networks and other online platforms increasingly move towards verified identity models, the potential for similar incidents becomes a growing concern. The exposed credentials and the subsequent access to sensitive user data highlight the critical need for robust security protocols and continuous monitoring to protect user information.

The AU10TIX security breach serves as a stark reminder of the vulnerabilities inherent in digital identity verification systems. While the company has taken steps to address the issue, the incident reveals gaps in its security measures that need to be addressed to prevent future breaches. As the industry moves forward, ensuring the security and privacy of user data must remain a top priority for all stakeholders involved.