Cybersecurity Researcher, Jeremiah Fowler, has recently reported a discovery of a non password-protected database to WebsitePlanet that contained records relating to a cryptocurrency sales platform. The records included customer names, bank account numbers, purchase and sales records, and more.
Upon further research I identified that the database belonged to Fiatusdt.com that provides an online exchange currency platform for buying and selling cryptocurrency. A responsible disclosure notice was immediately sent to the company and the database was correspondingly secured from public access.
According to Fiatusdt.com’s website: An online currency exchange, or electronic forex exchange, is an internet-based platform that facilitates the exchange of currencies between countries. Like their physical counterparts, online currency exchanges make money by charging a nominal fee and/or through the bid-ask spread in a currency.
Cryptocurrency has been in the news recently although not for entirely positive reasons. There is always an inherent risk involved when data is exchanged, collected, or stored online. In this discovery I found unencrypted highly sensitive data that was accessible to anyone with an internet connection. Crypto investors and traders enjoy no concrete regulatory rules or oversight, but that also means there is no singularly accepted industry standard when it comes to data security measures for cryptocurrency.
What the database contained:
Large number of screenshots marked as “Chat Messages” showing images and screenshots of deposits and withdraw amounts. These included bank transfer records that identified the customer’s name, account number, email, phone, and other sensitive information.
Know Your Customer (KYC) compliance records and identification images. I viewed an estimated 20,000 passports or identity card images.
The records also showed a transaction hash/ID (often abbreviated as tx hash or txn hash) – this number is confirmation code that the transaction is valid and has been added to the blockchain.
Wallet addresses for transactions were exposed. Criminals could target individuals to obtain their private or secret key and once they obtain this key, it would be possible to steal their cryptocurrency.
I was unable to provide an estimate of the total number of records exposed. The database had limited security settings that exposed images and other documents publicly but would not allow indexing of the total document count.
Risks arising from exposed KYC information:
KYC (Know Your Customer) is a standard process to verify customers. These records are highly sensitive pieces of information that prove the identity of an individual customer, such as a government issued identification card or a passport. This information is required by nearly all payment processors, banks, and other financial institutions. KYC procedures are now an integral part of risk and compliance teams globally, to identify potential indicators of financial crime, money laundering, and other criminal activities.
In a random sampling of records, I identified customer ID documents from all over the world, with a majority from the Asia Pacific Region. I identified documents from Malaysia, India, Australia, Indonesia, China, Oman and Singapore, among others.
Most cyber crimes are financially motivated, and the more information that criminals can learn about potential victims, the more dangerous it becomes. Therefore, the security of ancillary data accompanying the sale and purchase of cryptocurrency (such as KYC information) raises a cause for concern. Should malicious actors have discovered the exposed information, it may possibly fuel illicit activities and fraud, with potentially devastating results for individuals exposed. I have no way of knowing if the compromised records were accessed or used and only highlight the potential risks of this exposure.
The practice of storing website images and sensitive documents all in the same database is a major security vulnerability. In simple terms, never put all of your eggs in one basket. Anyone with an internet connection could see the page source and see where the images are stored. In this case,the AWS storage name and address was misconfigured to allow public access. The configuration settings and data exposure were not the fault of AWS. In this case, the database exposure could have been avoided by not leaving a system which doesn’t require authentication open to the internet.
Crypto Exchange Risks
A crypto exchange is a platform where users buy and sell digital assets. Crypto exchanges provide users with services that can include managing user accounts and their private keys. Every platform is slightly different but one thing that remains the same is that customer and exchange wallets will always be targets for hackers. Most deposits in a traditional bank account are protected at some level, or have state sponsored insurance plans to protect against loss or theft. At present however, there are no government regulations to support financial claims of investors if in the event cryptocurrency deposits are stolen from an exchange.
Crypto itself is not free of risks
Crypto crime continues to rise despite the dramatic decrease in value of most major cryptocurrencies last year and the FTX exchange meltdown damaging investor trust. According to Chainalysis, in 2021, criminals stole a record USD $3.2 billion in cryptocurrency directly from their victims. This means they took the funds directly from their accounts, wallet, or the exchange. Fraudulent scams far outnumber the direct theft of cryptocurrency and present a very serious risk to crypto buyers and sellers. The same report estimates a massive USD $7.8 billion in cryptocurrency was stolen from victims through various scams. Decentralized finance (or DeFi) creates opportunities for criminals and, in some instances, even nationstates to try and steal cryptocurrency, no matter where they are located in the world.
For the most part, blockchain is relatively safe. Although extremely difficult, it theoretically can be hacked. That said, the average investor or individual is more at risk of being scammed out of their cryptocurrency than ever being hacked. Therefore, cryptocurrency exchanges have a massive responsibility to prevent vulnerabilities or security lapses during the process of buying and selling that could expose the personal data of the investor. In this case, I could see that sensitive information exposed by a crypto exchange service or platform could identify individuals and make them a potential target for cyber criminals, through no fault of these crypto exchange users. No hacking is needed when sensitive data is publicly exposed.
Hackers in the past have targeted exchanges to try and identify wallet data, passwords and other information on their server. This is why weak security is such a massive risk to cryptocurrency owners and exchanges alike. As long as there is financial gain, cyber criminals will try to get access to cryptocurrency wallets and access exchange accounts to steal crypto.
Discovery of Breach and Disclaimer:
This exposed database was discovered as part of a web-mapping process.
We imply no wrongdoing on the part of Fiatusdt, or any of their affiliates, that their customers or investors are in imminent danger of cybercrime. The presentation of material throughout this article does not imply the expression of any opinion whatsoever on our part concerning the legal ramifications of the data incident highlighted. We publish our findings for educational purposes to raise awareness of data incidents, and to highlight data security and best practices in cyber hygiene.
As an ethical security researcher, I never download or extract the data or information I discover. I was only able to review a limited sample of records and this report is based on what I saw in those records. It is unclear the total number of records exposed and who else may have had access to these records, while they were exposed.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.