This Week in Data Breaches: Binance Blackmailed, StockX Hacked, and YouHodler Exposed
Equifax’s $700 million data breach settlement and Capital One’s massive data breach grabbed headlines over the past couple of weeks as the fallout from an onslaught of major breaches rages on. With the Equifax and Capital One news, a slew of new breaches and privacy intrusions flew under the radar. Here are the stories you might have missed.
Binance Blackmailed Over KYC Data
Cryptocurrency exchange Binance is being blackmailed over identity information that a hacker allegedly stole from the company. A hacker has demanded 300 Bitcoin in exchange for the stolen data, which the hacker has claimed includes information used for Know Your Customer (KYC) verification, such as passports and other identity documents.
After Binance refused to pay, some 400 of the 10,000 stolen photos were released on an anonymous Telegram group. The photos show customers holding their passports or other official documents. Binance acknowledge that the photos appeared to be from February 2018, a period during which the company outsourced it’s KYC process to a third-party provider.
In a statement, Binance said, “We would like to inform you that an unidentified individual has threatened and harassed us, demanding 300 BTC in exchange for withholding 10,000 photos that bear similarity to Binance KYC data...At the present time, no evidence has been supplied that indicates any KYC images have been obtained from Binance, as these images do not contain the digital watermark imprinted by our system.”
Compromised KYC data is extremely dangerous to consumers, as it often includes complete photos of passports, driver’s licenses, and other types of identity documents, which gives identity thieves nearly everything they need to commit fraud in someone else’s name. Advancements in blockchain technology make it easier than ever to decentralize the storage of customer data and minimize what is shared.
StockX Breach Exposed 6.8 Million Records
Earlier this week, sneaker marketplace StockX confirmed that it suffered a data breach in which 6.8 million user records were stolen. The stolen data is currently for sale on the dark web for $300. TechCrunch confirmed that the data is accurate for at least some StockX users.
Data that was stolen in the breach included users’ names, email addresses, shipping addresses, hashed passwords, shoe sizes, and purchase histories. Following the breach, StockX sent out a password reset email to all users under the guise of “system updates”, failing to inform customers of the breach until a few days later.
In response to scrutiny that followed the botched disclosure, the company said, “We had just begun our investigation and did not yet know the nature, extent, or scope of suspicious activity to which we had been alerted...we felt a responsibility to act immediately to protect our customers while our investigation continued.”
If you use your StockX password for any other accounts, make sure to change them immediately. Setting up and using a password manager to create strong, unique password for all of your accounts is one of the most effective ways one stolen password from compromising all of your accounts. For more information, check out our guide on how to protect your identity.
Robinhood Stored Some User Passwords in Plain Text
Investment app Robinhood sent out an email last week notifying users that it accidently stored some passwords in plain text on its servers. Though the company said that there was no evidence the plain text credentials were exposed or misused, it is a pretty big security mistake for a company that has over 4 million active users and now also serves as a clearing house and asset custodian.
In the email to affected customers, Robinhood said, “We discovered that some user credentials were stored in a readable format within our internal systems. We wanted to let you know that your password may have been included. We resolved this issue, and after thorough review, found no evidence that this information was accessed by anyone outside of our response team.”
Storing passwords in plain text puts users at significant risk in the event that a data breach exposes the credentials. Plain text passwords can also be exploited internally by employees who could potentially use them for gaining unauthorized access to customer data or other nefarious purposes. On the other hand, password hashing prevents hackers from being able to actually see the password. Robinhood says that all passwords are now hashed using the Bcrypt hashing algorithm.
YouHodler Exposed Credit Card and Bank Account Numbers
TechCrunch reported this week that cryptocurrency lending platform YouHodler leaked unencrypted user credit card details and bank account information for almost a month after failing to secure one of its servers with a password. The exposed records contained credit card numbers, CVV numbers, and expiration dates, and in some cases included bank account and routing numbers, names, addresses, transaction details, and passport numbers.
The two security researchers who found the exposed database, Noam Rotem and Ran Locar, wrote in a blog post, “In addition to the direct theft and threats that are possible as a consequence of this leak, the amount of information included in the database makes stealing a users identity a simple task.” It is unclear how many users were affected but the researchers say that more than 86 million records were exposed.
Bloom: Take Back Control of Your Data
At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.
It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!