The bitcoin and cryptocurrency community, fiercely protective of its privacy, has been rocked by a massive data breach that’s seen the personal information of over 270,000 bitcoin and cryptocurrency users published online.
The data, stolen from popular France-based bitcoin and cryptocurrency hardware wallet Ledger in a July hack, was last week published on RaidForums, a marketplace for buying, selling, and sharing hacked information.
Many bitcoin and cryptocurrency investors have since been subject to a barrage of phishing attempts with scammers using the data to try to trick users into handing over the keys to their bitcoin and crypto wallets—revealing bitcoin’s greatest weakness is the companies that help people store and trade it.
The hacked data includes customer email addresses, full names, phone numbers and postal addresses, according to Ledger. A vulnerability on the Ledger website allowed a “unauthorized third party” to access the company’s e-commerce and marketing database before it was spotted by a researcher participating in Ledger’s bounty program.
“End financial surveillance. Stop forcing companies to collect hackable jackpots of know-your-customer (KYC) data,” Balaji Srinivasan, technology angel investor and former chief technology officer at U.S. bitcoin and crypto exchange Coinbase, said via Twitter in the aftermath of the data dump, adding: “Privacy [is greater than] KYC.”
Regulations and tax requirements require companies to store certain information on their customers, often for many years. And while further regulation, such as the European Union’s General Data Protection Regulation (GDPR), is designed to protect user data, mistakes and vulnerabilities are inevitable.
“The combination of insecure centralized databases and current KYC laws sets up a situation where millions of people are predictably victimized by hackers to (maybe) prevent a few crimes,” Srinivasan tweeted.
Some of Ledger’s customers have received emails from scammers that include their name and address, threatening them unless they pay a ransom.
Phishing attacks and ransom demands have long plagued the bitcoin and cryptocurrency world, rising and falling in severity along with the volatile bitcoin price. Ledger, along with many other financial and technology companies, has tried to educate its users and the public about phishing attacks—but when people are involved, there will always be risk.
“[People] are definitely one of the weak links,” Ruben Merre, the chief executive of bitcoin and crypto hardware wallet company NGrave, said via email.
“They are an easy way into companies, through a targeted spear-phishing attack, one can isolate someone out, hack that person, and then from there get access to company systems. It is actually how most of the historic big security breaches occur. For example, a small vendor that has a huge platform as a customer might be the perfect entry point for a massive data breach.”
Earlier this year, social network Twitter was hit by a spear-phishing attack that allowed three men, two of them teenagers, to take control of the accounts of major public figures and corporations, including Joe Biden, Elon Musk, and Apple
While bitcoin’s decentralized nature means there isn’t company or organization that can be targeted directly, centralized cryptocurrency exchanges, wallet providers, and other digital platforms will always be bitcoin’s greatest weakness.