Eighty-six million records from users across 35 countries were exposed in a massive database breach of a popular cryptocurrency platform.
Unencrypted full names, email addresses, phone numbers, birthdays, credit card numbers (including CVV numbers), passport and ID numbers, bank details and even crypto wallet addresses were exposed in the security breach.
Users in Australia, the US, Canada, the UK, France and Russia were among the 35 countries who may have been affected.
The security breach of YouHodler.com was uncovered earlier this week by Noam Rotem and Ran Locar from vpnMentor’s research team.
YouHodler has been informed and the breach has subsequently been closed.
Seriously lax security
Lisa Taylor from vpnMentor’s research team told Micky via email the breach was very serious.
“This leak allowed anyone in possession of the data to find the real identity of cryptocurrency owners and the amount they own – putting them at risks of being targeting by criminals,” she said.
The vpnMentor report on the breach notes the site simply wasn’t doing enough to protect sensitive information.
“Any platform that stores credit card data should be taking several security precautions,” the researchers wrote.
“With full, unencrypted credit card numbers, CVV numbers, expiration dates, and cardholder names, a bad actor would have complete control over a user’s credit card. Furthermore, having storing CVV numbers is a violation of the PCI regulations imposed by credit card companies. This could be used to run up fraudulent charges and as a means of authentication for other accounts that belong to the user.”
However, it is not known if any malicious actors have taken advantage of the security gaps.
What is a YouHodler anyway?
YouHodler is a crypto loan platform that enables users to swap crypto for cash instantly.
Users can take out instant crypto loans by putting up their crypto holdings as collateral (meaning you can hold on to your crypto and spend it at the same time).
The leak in YouHodler’s database was discovered as part of vpnMentor’s web mapping project, where researchers examine ports to find known IP blocks and holes in the system that indicate an open database.
They confirm the identity of a leak and trace the data back to its owner.
“With every leak we find, we contact the owner of the database to alert them to the vulnerabilities,” the researchers wrote. “If possible, we will also inform those affected by the breach. Our goal is to create a safer and more secure internet for all users.”
Potential security risks from the breach include identity theft, phishing attempts and being identified by tax authorities for non payment.
Users in countries that ban cryptocurrency entirely are also at risk with the researchers finding user details from Egypt, which has an explicit ban on crypto.