According to a report by an online monitoring web portal, Under the Breach, a hacker was able to penetrate the privacy protocols of major firms such as Trezor, Ledger and Bnktothefuture on May 24 and walk away with a host of sensitive customer data, including email addresses, home addresses and phone numbers.
The documents posted by Under the Breach claimed that the hacker was in possession of three large databases that allegedly contained the details of more than 80,000 customers. In this regard, it was also rumored that the hacker was able to procure the above-stated information via an exploit that was linked to Shopify, an e-commerce firm that provides its services to a number of major crypto firms.
It now appears as though this so-called data breach has been a major false-flag, since many of the companies linked with the hack have come forth to say that Under the Breach’s claims are not grounded in any factual evidence. For example, a spokesperson for Shopify told Cointelegraph: “We have investigated these claims and found no evidence to substantiate them, and no evidence of any compromise of Shopify’s systems.”
Similarly, Ledger’s security team moved to allay customer fears that their funds may potentially be in jeopardy. The firm released a detailed blog post stating that the rumor about the leaked customer data being from Ledger’s e-shop was a hoax and that the company’s security team had investigated the sample data and confirmed that it did not match its native client information.
Lastly, in addressing concerns regarding the hacker’s claim that they were able to gain access to Ledger’s client database through a 2016 Shopify exploit, the hardware wallet manufacturer’s security team stated that while Ledger currently employs Shopify as a third-party provider for its e-commerce operations, the same was not the case back in 2016.
Companies debunk the breach
To get a better overview of all that transpired since the hacking rumor went viral online, Cointelegraph reached out to Matthieu Riou, chief technical officer and co-founder of BlockCypher, a cloud-optimized platform powering blockchain applications that allegedly had its data compromised. Riou claimed that after performing a thorough analysis of the matter, his team reached a conclusion that the leak in question was more than four years old and is simply being recirculated. He further clarified:
“For example the number of records as reported by the hacker (2358 users) is particularly telling. We thankfully now have quite a few more users than that. But this number is consistent with a March 2016 data leak we had on an older system and acknowledged at the time.”
Not only that, Riou also pointed out that since the 2016 leak, his firm’s developer team has completely rewritten its user and API token management web application from scratch — as a result of which, users have had to re-register on the new platform with a different password. He added: “We’ve now been running on the new improved platform for several years and have had no issues. We can’t speak as to the severity or recentness of the data dumps originating from other firms.”
This sentiment was echoed by Peter Vecchiarelli, operations manager for Augur, a decentralized betting protocol that the hacker claimed to have compromised and stolen customer data from. Vecchiarelli stated that the “leaked” list associated with Augur was the same one allegedly acquired by hackers back in 2016. He pointed out that upon conducting a cross-reference test, his team found that the leaked list did not match any of Augur’s private email lists for marketing or crowd sale, and was merely a downloaded list of all the individuals who had set their email addresses to “publicly viewable” from a previous Slack channel operated by the company.
Lastly, Marek Palatinus, CEO of SatoshiLabs — the company behind Trezor’s various hardware wallets — told Cointelegraph that it is important for people to understand that the “data breach is not legit” and consists primarily of information that is fabricated. For example, he pointed out that Trezor’s e-shop does not run on Shopify and that the firm makes use of a niche anonymization protocol to minimize the impact of potential data breaches such as this one. Furthermore, Palantus stated:
“Even if the data was leaked from any of the mentioned party e-shops, the hardware wallet secret keys were not exposed, therefore the hacker or any other potential person that gets hold of the database won’t get access to your secret keys stored on a hardware wallet. Trezor does not collect any data from your hardware wallet or Trezor Wallet app.”
Crypto exchanges’ rubbish hack claims
Another aspect of this recent data breach is that the hacker claimed to have obtained a host of customer information from prominent crypto exchanges and investment platforms such as Coinigy, BitSo and Plutus.
Cointelegraph spoke with Coinigy co-founder William Kehl, who stated that one of Coinigy’s third-party Stripe accounts was compromised back in 2016, and as a result, an attacker was able to access info related to more than 500 customers. This data included the last four digits of customers’ credit card numbers, their names and their addresses along with associated emails. However, as part of the above-stated breach, Kehl maintains that none of Coinigy’s internal databases — including user accounts, passwords or API keys — were compromised. He added:
“We were immediately alerted to the incident when it occurred, and we immediately locked these accounts and our entire platform down, required all users to perform a complete security audit including but not limited to new passwords and API keys before they were able to log back into the platform. Again, what you see offered by the ‘hacker’ was not acquired from our database, but through gaining momentary access to some third party services we used.”
Similarly, addressing the rumors surrounding the hack, a spokesperson for Mexican cryptocurrency exchange Bitso told Cointelegraph that having investigated this alleged threat, the company’s security team has not found anything out of the ordinary. He added:
“We activated the pre-established protocols to review this potential event, and we will be informing users. At this time, we have not found evidence that a third party has sufficient information to access our customers’ accounts.”
The same thoughts were mirrored by David Morrison, community manager for Plutus, a crypto-fintech firm. Morrison stated that after having investigated several possible attack vectors, his company’s security team was not able to find any evidence of a hacking attempt. He said, “So far we have not found any solid evidence of successful hacking attempts. Regardless, we are taking all precautions possible and informing our customers appropriately.”
Jumping the gun
On May 19, BlockFi reported a data breach that arose due to a sim-swap attack, resulting in compromised customer data held by the company, such as full names, email addresses, date of birth and physical addresses. Similarly, Etana, a custody firm that services the crypto exchange Kraken, also fell victim to a similar data breach last month.
While customer funds were reportedly not affected in any way throughout the aforementioned cases, whenever a story about some platform being compromised, people tend to jump to the worst conclusion right away.