vpnMentor’s research team found a data breach from YouHodler, a cryptocurrency lending platform.
Led by Noam Rotem and Ran Locar, our research teamdiscovered a database leak in YouHodler’s system.
The platform makes it easy for users to request crypto-loans or to convert their crypto-holdings to fiat currencies.
The breach exposed a huge amount of data.
We contacted YouHodler on July 22.
YouHodler responded on July 23 and subsequently closed the breach.
Users can also take outcryptocurrency loansby putting up their current crypto-holdings as collateral.
According to the YouHodler website, they’ve processed more than$10 million in transactions for 3500 customers.
YouHodler’s user base spansmore than 35 countriesglobally.
Some of the countries affected includethe United States, Canada, the UK, France, and Russia.
Furthermore, these numbers were entirelyunencrypted.
However, the rest of the user’s card data was easy to find.
It was a small leap from the first example to find the remainder of this user’s card data.
This includes theiraccount number, SWIFT code, and the bank’s addressas well.
The data for this user was even more extensive, however.
It was simple to link the account above to theBitcoin wallet address.
YouHodler does storepassword data,but uses a SHA-256 hash.
This is a robust encryption algorithm that is difficult to break.
We also see theuser’s email addresshere, which was present in a variety of different logs.
This particular record indicates that the user comes from Egypt.
This log shows that YouHodler is also storingcustomer phone numbers.
Thislinks a single user with all of their crypto-wallets.
Furthermore, having storing CVV numbers is a violation of the PCI regulationsimposed by credit card companies.
Thieves would have more cause totarget users who have a more significant sum in their crypto-holdings.
They could also use the bank information present to choose wealthy targets for a variety of in-person attacks.
A breach of this sort also makes it easier totrack users who use their crypto-holdings for illegal activities.
Many hide behind the anonymity of crypto and the dark web to commit crimes.
A lot of identity verification questions can be answered from the leaked data.
Since some sort of passport or ID number was also present, it’s alsopossible to forge official documents.
Ran and Noamconduct port examinations to detect recognized IP blocks.
Upon identifying these IP blocks, theyscrutinize the system for any vulnerabilitiesthat could reveal an unsecured database.
Our research term could have downloaded and sold the data exposed in this breach at massive personal gain.
However, asethical hackers and researchers, we believe that benefiting from a data breach is unethical.
That’s whywe notify the database’s ownerand where possible, the people who have been affected.
Our goal with this project is to createa safer and more secure internet for all users.
About Us and Previous Reports
vpnMentoris the worlds largest VPN review website.
We recently discovered a massivedata breach impacting 78 thousand patients taking Vascepa.
Pleaseshare this report on Facebookortweet it.
kindly, comment on how to improve this article.
