Someone is selling a database allegedly belonging to Paxful.com, containing 4.8 million user and employee data. According to the seller, the data was obtained this month, so it’s fresh and contains full names, dates of birth, gender, physical address, email address, phone numbers, and passwords. The price was set to 1 BTC ($58,500), but the seller is open to negotiating it. The sample posted in the listing exposes employees, giving away email addresses, full names, OS and browser details, IP addresses, and hashed passwords.
Paxful.com is a peer-to-peer cryptocurrency trading platform that allows people to buy and sell Bitcoin, Tether, Ethereum, Litecoin, and many more cryptocoins with over 300 payment methods. The platform is very popular, and it operates within a legit and safe context. What this means is that to engage in trading on Paxful, one has to provide “know your customer” documents, typically national IDs, proof of residence, etc. If the actors have these details in their hands as they claim, the consequences for the exposed individuals would be catastrophic.
We don’t know if the sample consists of valid information or if the seller is indeed holding user data, and Paxful hasn’t made any announcements about the sample leak yet. We have reached out to them, and we will update this post as soon as we have a comment or official statement from the platform.
At the time of writing this piece, the trading platform's status is operational, so there are no interruptions in the critical functions of the site. Also, there seem to be no outages announced since the start of the month, so if a data breach indeed took place, it was either stealthy or not damaging enough to affect trading operations.
In December 2020, someone attempted to sell verified Paxful accounts via a private Telegram group. A year before, in December 2019, another user on the same forum shared roughly 300,000 Paxful account credentials for free. Unconfirmed reports from back then claimed that some users lost money due to brute-forcing with the actors somehow disabling their 2FA. As such, Paxful has had its fair share of security incidents, although we should point out that none was ever officially confirmed.
Update April 10, 2021 - Paxful has answered to our request for a comment with the following statement: