1. Website Planet
  2. >
  3. News
  4. >
  5. Cryptocurrency Exchange Exposed Sensitive Customer Records Online
Cryptocurrency Exchange Exposed Sensitive Customer Records Online

Cryptocurrency Exchange Exposed Sensitive Customer Records Online

Jeremiah Fowler
Cybersecurity Researcher, Jeremiah Fowler, has recently reported a discovery of a non password-protected database to WebsitePlanet that contained records relating to a cryptocurrency sales platform. The records included customer names, bank account numbers, purchase and sales records, and more.

Upon further research I identified that the database belonged to Fiatusdt.com that provides an online exchange currency platform for buying and selling cryptocurrency. A responsible disclosure notice was immediately sent to the company and the database was correspondingly secured from public access.

According to Fiatusdt.com’s website: An online currency exchange, or electronic forex exchange, is an internet-based platform that facilitates the exchange of currencies between countries. Like their physical counterparts, online currency exchanges make money by charging a nominal fee and/or through the bid-ask spread in a currency.

Cryptocurrency has been in the news recently although not for entirely positive reasons. There is always an inherent risk involved when data is exchanged, collected, or stored online. In this discovery I found unencrypted highly sensitive data that was accessible to anyone with an internet connection. Crypto investors and traders enjoy no concrete regulatory rules or oversight, but that also means there is no singularly accepted industry standard when it comes to data security measures for cryptocurrency.

What the database contained:

  • Large number of screenshots marked as “Chat Messages” showing images and screenshots of deposits and withdraw amounts. These included bank transfer records that identified the customer’s name, account number, email, phone, and other sensitive information.
  • Know Your Customer (KYC) compliance records and identification images. I viewed an estimated 20,000 passports or identity card images.
  • The records also showed a transaction hash/ID (often abbreviated as tx hash or txn hash) – this number is confirmation code that the transaction is valid and has been added to the blockchain.
  • Wallet addresses for transactions were exposed. Criminals could target individuals to obtain their private or secret key and once they obtain this key, it would be possible to steal their cryptocurrency.
  • I was unable to provide an estimate of the total number of records exposed. The database had limited security settings that exposed images and other documents publicly but would not allow indexing of the total document count.
Cryptocurrency Exchange Exposed Sensitive Customer Records Online
This image shows the folders that were publicly exposed.
  1. Risks arising from exposed KYC information:
KYC (Know Your Customer) is a standard process to verify customers. These records are highly sensitive pieces of information that prove the identity of an individual customer, such as a government issued identification card or a passport. This information is required by nearly all payment processors, banks, and other financial institutions. KYC procedures are now an integral part of risk and compliance teams globally, to identify potential indicators of financial crime, money laundering, and other criminal activities.

In a random sampling of records, I identified customer ID documents from all over the world, with a majority from the Asia Pacific Region. I identified documents from Malaysia, India, Australia, Indonesia, China, Oman and Singapore, among others.

Most cyber crimes are financially motivated, and the more information that criminals can learn about potential victims, the more dangerous it becomes. Therefore, the security of ancillary data accompanying the sale and purchase of cryptocurrency (such as KYC information) raises a cause for concern. Should malicious actors have discovered the exposed information, it may possibly fuel illicit activities and fraud, with potentially devastating results for individuals exposed. I have no way of knowing if the compromised records were accessed or used and only highlight the potential risks of this exposure.

The practice of storing website images and sensitive documents all in the same database is a major security vulnerability. In simple terms, never put all of your eggs in one basket. Anyone with an internet connection could see the page source and see where the images are stored. In this case,the AWS storage name and address was misconfigured to allow public access. The configuration settings and data exposure were not the fault of AWS. In this case, the database exposure could have been avoided by not leaving a system which doesn’t require authentication open to the internet.

  1. Crypto Exchange Risks
A crypto exchange is a platform where users buy and sell digital assets. Crypto exchanges provide users with services that can include managing user accounts and their private keys. Every platform is slightly different but one thing that remains the same is that customer and exchange wallets will always be targets for hackers. Most deposits in a traditional bank account are protected at some level, or have state sponsored insurance plans to protect against loss or theft. At present however, there are no government regulations to support financial claims of investors if in the event cryptocurrency deposits are stolen from an exchange.

  1. Crypto itself is not free of risks
Crypto crime continues to rise despite the dramatic decrease in value of most major cryptocurrencies last year and the FTX exchange meltdown damaging investor trust. According to Chainalysis, in 2021, criminals stole a record USD $3.2 billion in cryptocurrency directly from their victims. This means they took the funds directly from their accounts, wallet, or the exchange. Fraudulent scams far outnumber the direct theft of cryptocurrency and present a very serious risk to crypto buyers and sellers. The same report estimates a massive USD $7.8 billion in cryptocurrency was stolen from victims through various scams. Decentralized finance (or DeFi) creates opportunities for criminals and, in some instances, even nationstates to try and steal cryptocurrency, no matter where they are located in the world.

For the most part, blockchain is relatively safe. Although extremely difficult, it theoretically can be hacked. That said, the average investor or individual is more at risk of being scammed out of their cryptocurrency than ever being hacked. Therefore, cryptocurrency exchanges have a massive responsibility to prevent vulnerabilities or security lapses during the process of buying and selling that could expose the personal data of the investor. In this case, I could see that sensitive information exposed by a crypto exchange service or platform could identify individuals and make them a potential target for cyber criminals, through no fault of these crypto exchange users. No hacking is needed when sensitive data is publicly exposed.

Hackers in the past have targeted exchanges to try and identify wallet data, passwords and other information on their server. This is why weak security is such a massive risk to cryptocurrency owners and exchanges alike. As long as there is financial gain, cyber criminals will try to get access to cryptocurrency wallets and access exchange accounts to steal crypto.

Discovery of Breach and Disclaimer:

This exposed database was discovered as part of a web-mapping process.

We imply no wrongdoing on the part of Fiatusdt, or any of their affiliates, that their customers or investors are in imminent danger of cybercrime. The presentation of material throughout this article does not imply the expression of any opinion whatsoever on our part concerning the legal ramifications of the data incident highlighted. We publish our findings for educational purposes to raise awareness of data incidents, and to highlight data security and best practices in cyber hygiene.

As an ethical security researcher, I never download or extract the data or information I discover. I was only able to review a limited sample of records and this report is based on what I saw in those records. It is unclear the total number of records exposed and who else may have had access to these records, while they were exposed.

Rate this Article
4.5 Voted by 2 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Reply
View %s replies
View %s reply
More news
Show more
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!

<

Or review us on

2986139
50
5000
55905552