BTC dominance: 52.52% • ETH Gas: 13 / 13 / 16
RecentCoin RecentCoin
New coins deployed last 24h: +0
Web3 KYC vendor Fractal ID loses over 50k users’ passport info in data breach

Web3 KYC vendor Fractal ID loses over 50k users’ passport info in data breach

full version at cryptoslate

Fractal ID, a digital identity verification service provider, disclosed a data breach affecting approximately 0.5% of its user base—according to the company’s website and X profile, this could be over 50,000 users.

The compromised API includes sensitive user information such as names, email addresses, wallet addresses, phone numbers, physical addresses, and images of uploaded KYC documents.

Fractal is used by web3 projects, including Polygon ID, Ripple, XRP Ledger, Avalanche, Gnosis, Near, Aurora, Acala, Polymath, BNB Chain, Lukso, Aleph Zero, and Arbitrum Foundation.

The company reported that the incident occurred on July 14, 2024, when an unauthorized third party accessed an operator’s account and executed an API script to extract users’ personal information. The breach began at 05:14 A.M. UTC and lasted just over two hours.

The company stated it has taken immediate action to mitigate the breach’s impact and implemented additional security measures. Fractal ID also reported the incident to relevant data protection authorities and the cybercrime police division.

In response to the breach, Fractal ID emphasized that the incident was contained within their environment and did not affect their clients’ systems or products utilizing their services. However, the company advised affected users to be cautious of unsolicited communications requesting personal information, as breached data could be shared with third parties or used for commercial purposes.

Fractal ID’s approach to addressing the breach involved first contacting affected users, followed by impacted clients, before making a public announcement.

The incident has drawn criticism from some members of the crypto community. Blockchain investigator ZachXBT questioned the company’s ability to secure user data and suggested that teams using Fractal ID’s product should consider alternatives.

Potential impact of the breach

The company’s website claims its product removes the “risks of centralized platforms,” which raises questions about the nature of Fractal’s decentralization. Fractal states its mission is rooted in “true ownership of data,”

“We believe that Decentralized Identity is the key to revolutionizing how individuals engage with the web, enabling true ownership of data and the power to selectively share it.”

Fractal ID website
Fractal ID website

However, a review of the company’s developer documentation appears to show that all user information is accessible via a single API call. Once a user authorizes an application to access their data, it does not seem that this permission is required again for subsequent data requests.

Thus, it’s hard to see how the user has sovereignty and ownership of the data. A centralized endpoint was accessible to an attacker, leading to the loss of the most sensitive user data without any messages signed by users’ private keys.

Thousands of users’ identity information, such as passport and driving license scans, were stolen in the breach without being “selectively shared” by the owners. The scope of the damage this breach could cause is extensive.

The most sensitive stolen data could be used to create fraudulent accounts, seed phishing attacks, attempt to breach existing accounts, or even broader identity theft.

With access to names, email addresses, and wallet addresses, bad actors might craft convincing impersonation schemes or launch sophisticated social engineering attacks.

Physical addresses could be used for real-world stalking, harassment, or worse, with reports of home invasions targeting crypto professionals on the rise. Compromised wallet addresses might be used to track transaction histories or target high-value accounts.

While the ‘decentralized’ aspect of Fractal’s user data remains in question, one clear web3 element of the company, the price of its token (FCL), has been marginally affected, down 2.9%. With less than $3,000 in 24-hour trading volume and a market cap of $144,037, the token has fallen 43% year-to-date.

Users affected by this breach should remain vigilant, monitor their accounts closely, and consider updating their security measures across various online services to mitigate potential risks.

The post Web3 KYC vendor Fractal ID loses over 50k users’ passport info in data breach appeared first on CryptoSlate.

DeBank.com spLP profile by cryptoslate

Recent Crypto News

Ethereum and Cardano Founders Clash Over Pro-Crypto Political Support
Ethereum and Cardano Founders Clash Over Pro-Crypto Political Support
Added 13 minutes, 29 seconds ago by en.coinotag
XRP Whales Buy The Dip With 139M Accumulated From Major Exchanges
XRP Whales Buy The Dip With 139M Accumulated From Major Exchanges
Added 13 minutes, 30 seconds ago by coingape
XRP Surges 45%: Can the Altcoin Sustain Its Recent Bullish Momentum?
XRP Surges 45%: Can the Altcoin Sustain Its Recent Bullish Momentum?
Added 13 minutes, 32 seconds ago by en.coinotag
Spot Ethereum ETF Launch Sparks Optimism, Leaves Solana ETF Approval Uncertain
Spot Ethereum ETF Launch Sparks Optimism, Leaves Solana ETF Approval Uncertain
Added 13 minutes, 33 seconds ago by en.coinotag
The Road Ahead for Agoric: Innovations in Orchestration and the Path to Mass Adoption
The Road Ahead for Agoric: Innovations in Orchestration and the Path to Mass Adoption
Added 28 minutes, 9 seconds ago by coingape
Artist Brendan Murphy Launching Bitcoin 'Spacemen' via Ordinals
Artist Brendan Murphy Launching Bitcoin 'Spacemen' via Ordinals
Added 28 minutes, 10 seconds ago by decrypt.co

Recent conversions

250000 CRO to CZK 0.00067 ETH to CHF 2 BNB to CAD 2 SOL to CHF 6 BNB to CZK 90000 PKR to EUR 1 BTC to IDR 0.0224 BTC to NOK 0.0033 BTC to USD 523 BTC to GBP 90 ETH to USD