This analysis is based on breaking news and has been updated. To connect with the author, please e-mail [email protected].

While states from Utah to Florida have recently mandated that social media companies verify user age in order to require parental consent for minors on social media, AU10TIX—the company the biggest platforms, including X (formerly Twitter) and TikTok, use for identity verification—has left sensitive personal data exposed for more than a year. Hackers could have stolen most of this information with little effort. While concerning for obvious reasons, this news should also rattle well-meaning lawmakers attempting to protect minors by way of age-verification legislation for social media companies—many of which apparently use this company’s services.

Not only have laws forcing users to verify their ages before accessing social media been enacted locally, but federal proposals like the Kids Online Safety Act will functionally require the same practice. Age verification requires individuals wishing to use particular websites or applications to upload some combination of Social Security numbers, government IDs, face scans, and the like. States have admitted as much. This practice has special force when parental or guardian consent is required, as proof is needed that the adult claiming to be the minor’s guardian is in fact the legal guardian of the minor in question. Moreover, if social media companies wrongly assume that a minor is an adult, they face legal liability—although many state bills offer a carve-out as long as these sites implement age verification.

R Street’s series on the fundamental problem with age verification has already addressed the serious risks—including data breaches and hacks—associated with uploading users’ most sensitive personal information to a large number of websites. This possibility has now come to pass in this specific scenario.

404 Media reported that AU10TIX “exposed a set of [employee] administrative credentials online for more than a year,” allowing hackers or other malefactors to harvest users’ sensitive personal data easily. This included “name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license.” This sensitive information is also tied to social media accounts in the portal. The potential for identity theft, financial fraud, and other data-related crimes is all too obvious.

Even worse, 404 Media noted that the exposed credentials “appear to have been harvested by malware in December 2022, and first posted to a Telegram channel in March 2023, according to timestamps and messages from the Telegram channel that posted the credentials online.” As a result, any other individual or entity intent on doing harm could have easily used these publicly exposed credentials to log in and download users’ sensitive personal data for more than a year. “The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself.” The report further explains that the specific type of malware used in this data theft is often the first step in top data breaches.

AU10TIX told 404 Media that the incident was old and credentials were rescinded—but 404 Media found that the credentials still worked as of this month. After relaying that information, AU10TIX “then said it was decommissioning the relevant system, more than a year after the credentials were first exposed on Telegram.”

The company said in a statement that its findings showed no evidence that the data had been exploited, despite its being readily accessible to essentially the entire world. The company also told 404 Media that it had notified its customers about the data breach. However, spokespeople for two of these customers—Fiverr and Coinbase—each told 404 Media that they had not been made aware of this problem.

A clear understanding of historical data breaches and cybersecurity best practices has long confirmed that legislation requiring age verification or parental consent for social media access would lead to exactly this outcome. Before rushing to pass these laws, lawmakers need to consider the highly damaging, albeit unintended, consequences they pose. The widespread hacks and data breaches enabled by age-verification laws inevitably will put individuals supplying sensitive personal data at serious risk of identity theft and financial fraud.