Identity Verification Used by X, TikTok, and Uber Exposed Driver's Licenses
An identity verification firm, AU10TIX, exposed login credentials, risking access to sensitive data like driver's licenses. Despite claims of prompt revocation, functional credentials were found. AU10TIX partners with major platforms.
Read original article
An identity verification firm, AU10TIX, utilized by companies like X, TikTok, and Uber, inadvertently exposed administrative login credentials to the internet for over a year. This security lapse could have allowed unauthorized access to sensitive user information, such as images of American driver's licenses. AU10TIX typically requests various identifying data points, like selfies and government-issued ID pictures, to verify users on platforms. The breach originated from an AU10TIX employee's compromised login credentials, which were then shared on a Telegram channel. Despite AU10TIX's claim that the incident occurred over 18 months ago and that the credentials were promptly revoked, a cybersecurity researcher found that the credentials were still functional. AU10TIX stated they were shutting down the system associated with the compromised credentials and assured that there was no evidence of data exploitation. The company has partnerships with several major platforms and brands, including PayPal, LinkedIn, and Coinbase.
Related
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.
Rabbit data breach: all r1 responses ever given can be downloaded
A data breach at Rabbit Inc. exposed critical API keys for ElevenLabs, Azure, Yelp, and Google Maps, compromising personal information and enabling malicious actions. Rabbit Inc. has not addressed the issue, urging users to unlink Rabbithole connections.
Researchers Prove Rabbit AI Breach by Sending Email to Us as Admin
Researchers found a security flaw in Rabbit R1 AI assistant, exposing hardcoded API keys. Hackers could access sensitive data, impersonate the company, and send emails. Rabbitude group aims to improve security and functionality.
Rabbit failed to properly reset keys: emails can be sent from rabbit.tech domain
Rabbit Inc. failed to reset all keys, leaving a fifth API key active, potentially exposing email history and user data. Despite investigations, no evidence of data breaches or system compromises found.
1 commentsRelated
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.
Rabbit data breach: all r1 responses ever given can be downloaded
A data breach at Rabbit Inc. exposed critical API keys for ElevenLabs, Azure, Yelp, and Google Maps, compromising personal information and enabling malicious actions. Rabbit Inc. has not addressed the issue, urging users to unlink Rabbithole connections.
Researchers Prove Rabbit AI Breach by Sending Email to Us as Admin
Researchers found a security flaw in Rabbit R1 AI assistant, exposing hardcoded API keys. Hackers could access sensitive data, impersonate the company, and send emails. Rabbitude group aims to improve security and functionality.
Rabbit failed to properly reset keys: emails can be sent from rabbit.tech domain
Rabbit Inc. failed to reset all keys, leaving a fifth API key active, potentially exposing email history and user data. Despite investigations, no evidence of data breaches or system compromises found.