Cryptocurrency investing, trading, and management platform ‘BuyUcoin’ has blundered hugely, as they failed to secure their MongoDB instance properly and had 6 GB of sensitive user details exfiltrated by hackers. In total, 350,000 cryptocurrency holders have had their full names, IFSC codes, bank account numbers, PAN numbers, email addresses, KYC details, phone numbers, wallet details, and deposit history exposed.
Weirdly, this trove of data is currently being shared on the dark web for free, so a large number of malicious actors are engaging in its exploitation.
We have received the tip about this from independent security researcher Rajshekhar Rajaharia, who told us that the database was actually containing three monthly backups, ranging from June to September 2020. Thus, if you have registered to the platform at a later date, chances are you aren’t affected by this incident. For those who are, though, the implications are quite dire, as the database contains everything a malicious actor could have possibly asked for.
BuyUcoin has chosen not to disclose the data breach that resulted in this exposure, either because they didn’t realize they had a security breach or because they aren’t obliged by any laws in India (where they’re based) to disclose such events publicly. Either way, this was far from the ideal response to the incident, as people had the right to know about such a severe exposure as soon as possible.
The implications range from “simple” scamming attacks and phishing attempts to falling victim to banking fraud and impersonation actors. As for the cryptocurrency assets, this is a blurry area right now. The passwords in the database were encrypted, but we don’t know if BuyUcoin used a strong algorithm. Also, having your wallet details leaked isn’t good for security, no matter how you see it.
And as for the reason why this database is being shared for free, even though it contains such valuable information, this may have various explanations. Most likely, though, it is done by hackers who want to punish companies that choose not to disclose grave security incidents to their userbase and act unethically - even after being warned by the hackers that taking that path is futile.
Oftentimes, the ethical compass of the hackers who perform the breach is what eventually compels them to share the incident with the rest of the world, smashing the stereotype that hunts them while destroying people’s trust in the affected company.