Blockchain identity platform Fractal ID has published a postmortem outlining the data breach that the company suffered on July 14. The breach has since been traced back to a 2022 incident where an employee reused a compromised password.

According to Fractal ID, the compromised account belonged to an operator with the platform for three years and had admin rights. This allowed the attacker to bypass internal data privacy systems, though system monitoring helped lock out the attacker within 29 minutes.

Root cause of the breach

The operator’s failure to follow operational security policies and training, along with the reuse of credentials from past hacks, facilitated the breach.

On July 14, 2024, the crypto identity verification provider detected unusual activity in one of its back offices. This activity was quickly identified as a malicious attack, leading to data exfiltration for approximately 0.5% of its user base.

However, Fractal ID noted in the postmortem report that it disabled all accounts in the compromised system in response and limited access to senior employees. The company also prioritized enhancing its security measures to prevent future incidents, such as implementing request throttling, finer-grained authorization, tighter monitoring of failed authentication attempts, and stricter IP control.

Related: New ‘overlay attacks’ are a growing threat to crypto users — security CEO

In addition to internal efforts, Fractal ID contacted the pertinent data protection authorities and the cybercrime police division in Berlin. The company has also engaged with cybersecurity services to monitor for any potential distribution of stolen data on known data breach sites.

Data breach impact

According to the report, the stolen data, which affected around 6,300 users, includes various levels of information, from proof-of-personhood checks to complete KYC checks. This data may include names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. Fractal ID also contacted affected users directly to inform them of the breach.

Fractal ID co-founders Julian, Julio, Lluis, and Anna expressed regret over the incident and emphasized their commitment to protecting user data. They reiterated the company’s goal of moving toward a self-custody storage system to enhance data security.

This security lapse serves as a stark reminder of the difficulties in safeguarding data. Autix10, a crypto ID provider, revealed on June 27 that their online administrative login details were exposed. However, in this instance, the attacker seemingly did not gain access to any customer data.

Magazine: Crypto-Sec: Evolve Bank suffers data breach, Turbo Toad enthusiast loses $3.6K