Blockchain ID platform Fractal ID has suffered a data breach.
Blockchain identity platform Fractal Identity experienced a data breach on July 14, according to an announcement published on Fractal's website on July 17. Platform partners are the payment system Gnosis Pay, a decentralized financial application entity, the personal project Polygon ID, the social media platform Lukso, and other Web3 applications.
In its statement, Fractal did not say which partners were affected by the breach, if any. Some users on X reported receiving emails from the Gnosis Pay team warning of the breach and saying “Beware of unsolicited connections.”
Fractal said the breach only affected “0.5% of the Fractal ID user base.”
According to the announcement, “A third-party operator account other than Fractal ID gained unauthorized access and ran an API script that started at 05:14 am UTC to access users' personal information.” Once the team noticed the breach, they “took action to remove the attacker from the system at 07:29 AM UTC,” so the attack appears to have taken place within two hours and 14 minutes.
The announcement states that the data stored in this operator's account is limited to a limited number of accounts, which is only 0.5% of Fractal's total user base. For these users, extractable information may include “names, email addresses, wallet addresses, phone numbers, physical addresses, images, and images of uploaded documents.”
Fractal said the breach did not affect customers' systems or products, because it was “internal [Fractal’s] Environment,” however, affected users should “beware of unsolicited communications that request additional personal information,” the notice said.
Web3 developer Paulo Fonseca posted an image of an email sent to some GnosisPay users. “On Monday, July 15, 2024 at 7:30pm CET, our Know Your Customer (KYC) service provider Fractal ID notified the Gnosis Pay team of a data breach on Sunday, July 14, 2024,” the email said.
“It was not part of the data received,” the recipient of the email said. However, the user is warned to “Beware of unwanted communications that ask for more personal information.”
Cointelegraph contacted Gnosis for comment but did not receive a response as of publication.
Related: Chainlink CCIP Protocol and Automation Now Live on Gnosis
Most jurisdictions require cryptocurrency exchanges or payment providers to register and store know-your-customer (KYC) information on every customer they provide. This information may include images of user identification documents, names, physical addresses, emails, and other sensitive information. Supporters of KYC requirements say the system is necessary to prevent money laundering, while critics say it risks the release of personal information.
On June 27, crypto identity provider Autix10 announced that its administrative credentials had gone online. But in this case, it appears that the attacker didn't get any valid customer data. In the year On July 3, 2-factor authentication app Authy suffered a data breach, resulting in users' phone numbers being leaked.
Magazine: Crypto-Sec: Evolve Bank Suffers Data Breach, Turbo Todd Fan Loses $3.6K