Skip to content

BlockFi privacy violations can allow criminals to blackmail wealthy customers

May 19, 2020

BlockFi, a crypto loan provider, He reported Tuesday that he had suffered a data breach that could put some of his customers in physical danger.

According to his incident report, some of the company’s customer data is They were raped by swapping a SIM card for one of their employees.

Attackers successfully stole the email account and phone number used to verify the employee accountwhich enabled them to access BlockFi records.

BlockFi privacy violations can allow criminals to blackmail wealthy customers
BlockFi privacy violations can allow criminals to blackmail wealthy customers

SIM swap attacks are the result of security vulnerabilities in network operators and are generally carried out by conspirators with access to telephone network devices, although external intrusion techniques are also possible. This type of attack has been the cause of several thefts from high profile exchanges, but they generally target customers themselves.

The attackers supposedly They tried to withdraw money directly from customers, but the attempts were unsuccessful. BlockFi says.

However, The attackers had full access to the customer data used in the BlockFi marketing effort.

The company emphasized this “Non-public identifying information” has not been leakedThis would include bank account numbers, passwords, or social security numbers.

However, hackers were given access to full customer names, email addresses, and birth dates especially the activity information and physical addresses.

Can victims be blackmailed physically?

BlockFi states that customers in BlockFi are not a threat to funds, and writes, “Due to the nature of the information leaked, we do not believe there is an immediate risk to BlockFi customers or corporate funds.” .

However, Address and activity data can expose users to extortion and physical theft.

BlockFi did not disclose the type of activity data contained in these databases and declined to respond to Cointelegraph’s request referring to the full report of the incident.

An unidentified spokesman only added, “We have received no further indication that an unauthorized third party has changed the information that is being accessed at the time.”

However, it is easy to believe that by simply reading the activity data, attackers know the size of the customer account and the promise of guarantees. This type of data is critical to any targeted marketing campaign.

In addition, BlockFi’s privacy policy expressly states that this information is available for marketing purposes:

“We may use your personal information and information about how you use our services to send you advertising and other information. We may also use your personal information to carry out analyzes regarding your use of our services and products and the effectiveness of our marketing initiatives. “

The link between the home address, customer activity on the platform, and their credentials could allow criminals to target the victims of this attack to extort money from their cryptocurrencies.

This type of theft is not unknown, as a Singapore man was reportedly kidnapped and forced to transfer the cryptocurrencies he owned in January.

Similar cases were reported in 2017, particularly the kidnapping of the director of the Exmo crypto exchange in Ukraine. India has also been reported to have had several such cases this year.

The case of anonymous funding

A core Ethereum developer took the opportunity praise the anonymity of decentralized blockchain-based funding, saying: “Will critics finally start to understand the DeFi point on Ethereum?”

While DeFi carries other risks, the consequences of data breaches on centralized platforms that contain Know Your Customer data can be catastrophic.