On June 27, crypto exchange Coinbase has denied any knowledge of a breach of its customers’ data associated with the Au10tix compliance platform. The statement follows a June 26 report that claimed Au10tix employee credentials had been leaked on Telegram. The Au10tix website shows the Coinbase logo, seemingly implying that Coinbase is one of its clients.
“We are not aware of any Coinbase data exposure at this time and will continue to monitor the situation," a Coinbase representative told Cointelegraph.
Au10tix is an identity verification platform that claims to be used by Fiverr, TikTok, Uber, X, Coinbase, and many other platforms. It stores users’ photo IDs and other identifying information on behalf of the platforms it serves.
A representative from Au10tix clarified that an employee credential was leaked, which meant that “PII [personally identifiable information] data was potentially accessible.” However, “based on our current findings, we see no evidence that data has been exploited in any way.”
On June 26, 404 Media reported that the compliance platform “exposed a set of administrative credentials online for more than a year potentially allowing hackers to access that sensitive data.” The credentials had reportedly been discovered by cybersecurity firm SpiderSilk, which found them on Telegram. The credentials may have been obtained by an attacker who infected an Au10tix employee’s computer with malware.
A SpiderSilk security researcher was reportedly able to access customer data from at least one of the platform's clients using the credentials, proving that the data was accessible to anyone who possessed the leaked credentials. This data included “the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers' license.” A link within the data also led to actual images of “American drivers’ licenses,” the report stated.
Related: Sensitive data leaked in Kroll cybersecurity breach — Report
An Au10tix representative told Cointelegraph that the credentials have now been “completely removed” and the customer data can no longer be accessed through them. In addition, they claimed that “[a]fter a detailed security review, we concluded that there was no malicious activity and no data leakage from our system.”
The compliance platform has also taken further steps to make sure an incident like this does not occur again. The representative stated:
“We disconnected the relevant operational system and replace[d] it with more secured systems. We are reviewing our security procedures and harden[ing] security controls across all IT assets. We appointed a dedicated team to continuously monitor for any future activity."
Au10tix claimed that it “complies and will continue to comply with the highest industry standards, market demands and recent best practices.”
Coinbase did not confirm or deny whether it uses Au10tix to store customer data. But it did state that it is unaware of any breach of its customers' data from the incident reported.
Most jurisdictions require centralized crypto exchanges to perform Know Your Customer (KYC) verification, which includes asking customers for images of their driver’s licenses or passports. Supporters argue that this practice is necessary to prevent exchanges from being used for money laundering. But critics argue that the practice violates users' privacy.