- A tiny portion of user personal data was leaked after Fractal ID alerted operators to the presence of an attacker on their account.
A warning posted on Fractal ID’s website on July 17 states that the blockchain identity platform experienced a data breach on July 14. T
he social media platform Lukso, the decentralized banking app Acala, the payment system Gnosis Pay, the proof of personhood project Polygon ID, and other Web3 applications are partners of the platform.
Fractal did not specify which partners, if any, were impacted by the incident in its announcement. The Gnosis Pay team reportedly sent emails to some users on X informing them about the vulnerability and cautioning them to “be cautious of unsolicited communications.”
Only about 0.5% of the Fractal ID user base, according to Fractal, were impacted by the breach.
The warning states that an operator’s account was compromised by an external third party, and that party used an API script that began at 5:14 am UTC to obtain users’ personal data.
The team acted to log the attacker off the system by 07:29 AM UTC as soon as they became aware of the incident. As a result, it appears that the onslaught lasted for two hours and fourteen minutes.
According to the warning, data from this specific operator was only saved in a small number of accounts—roughly 0.5% of all Fractal users’ accounts. The information that may have been compromised for those specific users includes names, phone numbers, email addresses, wallet addresses, physical addresses, photographs, and screenshots of documents that have been posted.
Fractal stated that because the breach was contained to [Fractal’s] environment, it had no effect on the systems or products of its clients. Nevertheless, the notification advised impacted users to exercise caution when responding to unsolicited requests for further personal data.
An email purportedly addressed to a few GnosisPay subscribers was captured on camera, according to Web3 developer Paulo Fonseca. The email said that the Gnosis Pay team was notified of a data breach that occurred on Sunday, July 14, 2024, at 7:30 PM CET by our Know Your Customer (KYC) service provider Fractal ID.
It said that the information in the email was not included in the data that was accessed. Nevertheless, it forewarned the user to exercise caution when responding to unwanted requests for further personal data.
Know-your-customer (KYC) data about each client that cryptocurrency exchanges or payment processors serve must be kept on file by the majority of legal countries. Images of users’ identity documents, names, physical addresses, emails, and other private information may be included in this data. KYC regulations’ proponents contend that the process is required to stop money laundering, while its detractors argue that it increases the possibility of personal data leaks.
Crypto ID provider Autix10 revealed on June 27 that an internet disclosure of its admin credentials had occurred. However, it didn’t seem like the attacker in this instance had any real consumer data. The phone numbers of users of the 2-factor authentication service Authy were exposed due to a data breach that occurred on July 3.
Disclaimer : This article was created for informational purposes only and should not be taken as investment advice. An asset’s past performance does not predict its future returns. Before making an investment, please conduct your own research, as digital assets like cryptocurrencies are highly risky and volatile financial instruments.