Crypto lending platform may have leaked personal data
Everything from names to credit cards details may be in the wild
To be filed in the “How Not To Start A Business” section, a cryptocurrency lending startup has apparently allowed its servers to be unprotected, leading to the potential release of customer data – all the data. Security researchers from vpnMentor picked up on the security flaw on the YouHodler platform as they were looking for exposed ports and indicate in a blog post that a “huge amount of data” may have been leaked.
According to the blog post, “The breach exposed a huge amount of data. There were over 86 million records that included users’ full names, email addresses, addresses, phone numbers, birthdays, credit card numbers, CVV numbers, full bank details, and in some cases crypto wallet addresses. The implications of this breach are extensive.”
Making things worse, all of the data was stored in the clear. No encryption means that the data can easily be stolen and used immediately without the need for deciphering any code. A name combined with a credit card number and the CVV code are more than enough to wreak havoc on anyone’s finances or credit scores.
vpnMentor adds, “The nature of the data that leaked from You Hodler’s database could have serious consequences. Any platform that stores credit card data should be taking several security precautions. If YouHodler only stored the BIN and last four digits of user credit cards, there wouldn’t be as much of an impact in this regard.
“However, with full, unencrypted credit card numbers, CVV numbers, expiration dates, and cardholder names, a bad actor would have complete control over a user’s credit card. Furthermore, having storing CVV numbers is a violation of the PCI regulations imposed by credit card companies. This could be used to run up fraudulent charges and as a means of authentication for other accounts that belong to the user.”
The security firm contacted YouHodler on July 22 and the company patched the issue within 24 hours. However, it isn’t known if any data was stolen before the patch was applied or if any of its reported 3,500 customers are at risk.