Fractal ID Breach Exposes User Data, Traced Back to 2022 Password Hack

YEREVAN (CoinChapter.com) — Blockchain identity platform Fractal ID revealed a significant data breach on July 14, 2024. Initially, the breach was traced back to a 2022 incident where an employee reused a compromised password.

The compromised account belonged to a long-time operator with admin rights. Consequently, this allowed the attacker to bypass internal data privacy systems. Nevertheless, system monitoring helped lock out the attacker within 29 minutes.

The root cause of the breach was a failure to follow operational security policies and training. The reuse of credentials from past hacks facilitated the attack, exposing Fractal ID’s vulnerabilities.

Fractal ID Takes Action After Data Breach, Enhances Security

Upon detecting unusual activity in its back office, Fractal ID quickly identified it as a malicious attack. This led to data exfiltration affecting approximately 0.5% of its user base. In response, the company disabled all accounts in the compromised system and limited access to senior employees.

Fractal ID’s postmortem report highlighted several measures to prevent future incidents. These include implementing request throttling, finer-grained authorization, tighter monitoring of failed authentication attempts, and stricter IP control.

The company also contacted the pertinent data protection authorities and the cybercrime police division in Berlin.

Fractal ID Breach Exposes User Data, Affects 6,300 Users

The breach impacted around 6,300 users, with stolen data ranging from proof-of-personhood checks to complete KYC checks. This includes names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. Fractal ID has directly contacted affected users to inform them of the breach.

Fractal ID co-founders Julian, Julio, Lluis, and Anna expressed regret over the incident. They emphasized their commitment to protecting user data and moving toward a self-custody storage system for enhanced security.

Autix10, another crypto ID provider, revealed on June 27 that their online administrative login details were exposed. However, the attacker in that case did not gain access to any customer data.

The post Fractal ID Breach Exposes User Data, Traced Back to 2022 Password Hack appeared first on CoinChapter.