TLDR
- On July 14, 2024, Fractal ID, a blockchain identity platform, experienced a data breach incident.
- The breach impacted around 0.5% of Fractal ID’s user population, equating to nearly 50,000 users.
- Sensitive data such as names, emails, wallet info, and document scans were exposed in the breach.
- Gnosis Pay, impacted by the breach, informed its users about the situation.
- The breach occurred through an operator’s account, possibly using a password compromised from other security incidents.
Fractal ID Fractal ID, a platform for blockchain-based digital identity verification, reported a security breach on July 14, 2024, raising questions about data safety within the fast-growing Web3 space.
As per the notice from Fractal ID, unauthorized access was gained to an operator’s account which allowed an API script to siphon personal user data. The breach went on for two hours from 05:14 to 07:29 AM UTC before the attacker was ejected.
The potential leaks from hundreds of KYC service providers, when they suffer breaches, raise significant concerns.
Well let's see what @Fractal_ID says about their leaked data
Compromised data includes NAMES, EMAILS, PHONE NUMBERS, PHYSICAL ADDRESSES, WALLET INFO, and SCANS of documents like passports. pic.twitter.com/twFDjV8Err
— Lefteris Karapetsas hiring for @rotkiapp (@LefterisJP) July 17, 2024
Though Fractal ID reports that only about 0.5% of its users were affected, it still encompasses nearly 50,000 individuals considering the total user base of about one million.
Compromised information may contain personal details like names, emails, wallet details, physical and phone contacts, and images of documents such as passports and licenses.
Julian Leitloff, one of the minds behind Fractal ID, confirmed the breach to The Block , stating,
“We detected a breach through a single operator account on a Sunday morning, immediately revoked access, and pinpointed the cause with help from external support.”
Leitloff speculated that an “acquired password from other incidents” could have been the entry point for the breach.
Several Web3 ventures reliant on Fractal ID for KYC and AML compliance were caught in the breach impact, with Gnosis Pay promptly informing their customers on July 15, 2024. Know Your Customer (KYC) Platforms possibly impacted besides Gnosis Pay include Polygon ID, Ripple, XRP Ledger, Avalanche, Near, Aurora, Acala, Polymath, BNB Chain, Lukso, Aleph Zero, and Arbitrum Foundation although it's unclear to what extent they're affected.
Crypto community members criticize Fractal ID post-breach, with blockchain investigator ZachXBT questioning the firm’s data protection capabilities, suggesting alternative solutions might be prudent.
It would be ideal for user teams to consider leaving this product behind.
Realistically, the only task was ensuring data security, which unfortunately was not met.
With the incident unfolding, why would anyone still want to engage with this service?
The breach scenario brings to light the persistent issues of safeguarding data within the blockchain and crypto sectors, especially those services interacting with private user data. https://t.co/9jlZzzZpqJ pic.twitter.com/RhfTmie0ja
— ZachXBT (@zachxbt) July 18, 2024
Even though blockchain tech promises secure, user-controlled data, breaches like this indicate existing centralized weaknesses within Web3 frameworks.
Fractal ID responded to the breach with immediate remedial actions, bolstered security measures, and filed reports with relevant authorities and cybercrime units.
Affected users are advised to vigilantly observe their accounts , maintain up-to-date security protocols across platforms to curtail arising threats.
Data exposed could potentially serve phishing efforts, identity fraud, or other harmful exploits.
The overseer of Blockonomi and creator of Kooc Media Company, a UK-based online outlet, maintains faith in open-source software, blockchain progress, and a universally accessible Internet.
