AU10TIX Breach: TikTok and X Users' ID Data Left Exposed for Over a Year

AU10TIX, the ID verification provider for TikTok and X, exposed sensitive user data for over a year, putting personal information at risk.

AU10TIX Breach: TikTok and X Users' ID Data Left Exposed for Over a Year

A major ID verification service provider, AU10TIX, has recently been found to have exposed sensitive administrative credentials for over a year. This breach potentially allowed hackers to access personal information such as driver's licenses and biometric data from users of TikTok and X (formerly Twitter), among others.


AU10TIX, an Israeli-based company specializing in identity verification, partners with various high-profile platforms including TikTok, X, and Uber. The company's services involve verifying user identities through facial recognition and scanning government-issued IDs. However, it was discovered that administrative credentials linked to AU10TIX were left exposed, creating a significant security vulnerability.

Details of the Breach

The exposed credentials provided access to a logging platform containing links to sensitive identity documents. This data exposure, which lasted over a year, was initially identified by Mossab Hussein, the chief security officer at cybersecurity firm spiderSilk. The credentials were reportedly compromised by malware in December 2022 and subsequently shared on a Telegram channel in March 2023.


The breach could have severe implications if hackers exploited the exposed data. This would include personal information such as names, dates of birth, nationalities, ID numbers, and images of uploaded documents. Such information is critical for identity theft, allowing cybercriminals to commit fraud with ease.

Response from AU10TIX

In response to the breach, AU10TIX stated that while the data was "potentially accessible," there is no evidence to suggest it was exploited. The company has notified affected customers and is moving to a new, more secure operating system. Some partners, like Upwork, had already switched verification providers before the breach was discovered, while others like X and Fiverr continue to use AU10TIX's services.

X's Partnership with AU10TIX

Following Elon Musk's acquisition of X, the platform revamped its verification process, which included partnering with AU10TIX for ID verification. The new system aims to combat impersonation by requiring government ID verification for paid users, storing verification data for up to 30 days. This partnership is part of X’s broader efforts to enhance platform security and ensure user authenticity​ (Engadget)​​ (BioUpdate)​​ (Security Systems News)​​ (​.