At Sumsub, security is our top priority, and we take all reports of potential vulnerabilities very seriously. 

After a thorough investigation, we confirm that there have been no data leaks or breaches on Sumsub’s side. The security incident in question was caused externally by a third-party integrator used by our customer. The client’s access credentials to the system became publicly available due to the integrator’s negligence. More specifically, an API misconfiguration flaw in the authentication process created by this integrator exposed Sumsub’s API tokens intended for user authentication. This misconfiguration in the external integration, in turn, enabled unauthorized access to user data through the API. 

Therefore the security failure pointed out by the reporter, Lilith Wittmann, was entirely related to a third-party integration and was beyond Sumsub’s reasonable control. 

Importantly, Sumsub’s systems were not compromised, as the unauthorized actor was using legitimate API credentials to make requests identical to those of regular users. The root cause of this incident was created when our customer’s integrator made possible the exposure of user access tokens in verification links, which is comparable to publicly sharing private login credentials.

Upon becoming aware that an unauthorized actor—later identified as Ms. Wittmann—had gained access to the client’s data, we promptly contacted the customer with instructions on how to prevent any further exposure. Additionally, in advance of the publication, we proactively reached out to Ms. Wittmann to conduct further investigation.

Nevertheless, we take this matter with the utmost seriousness and will continue to enforce the highest security standards, working closely with our partners to prevent vulnerabilities and ensure robust protective measures are always in place. Our goal is to eliminate any chance of a data leak to the maximum possible extent, period, even where the risk is not due to any oversight attributable to Sumsub.