Fractal ID’s postmortem reveals a July 14 data breach traced to a reused password from a 2022 incident, swiftly mitigated by system monitoring.
Fractal ID, a blockchain identity platform, released a postmortem delineating the data breach on July 14. The breach has been traced back to a 2022 incident in which an employee reused a compromised password.
The compromised account belonged to an operator who had been using the platform for three years and had administrator rights, according to Fractal ID.
This enabled the perpetrator to circumvent internal data privacy systems; however, system monitoring was able to prevent the attacker from gaining access within 29 minutes.
The breach was facilitated by the operator’s failure to adhere to operational security policies, undergo training, and reuse credentials from previous attacks.
The crypto identity verification provider identified peculiar activity in one of its back offices on July 14, 2024. This activity was promptly recognized as a malevolent attack, resulting in data exfiltration for approximately 0.5% of its user base.
Nevertheless, Fractal ID identified in the postmortem report that it disabled all accounts in the compromised system as a response and restricted access to senior employees.
The company also prioritized improving its security measures to prevent future incidents. This included the implementation of request throttling, finer-grained authorization, tighter surveillance of failed authentication attempts, and stricter IP control.
In addition to its internal initiatives, Fractal ID contacted the relevant data protection authorities and the cybercrime police division in Berlin. The company has also contracted cybersecurity services to monitor for the potential distribution of stolen data on known data breach sites.
According to the report, the stolen data, which impacted approximately 6,300 users, encompasses a range of information, including proof-of-personhood checks and comprehensive KYC checks.
This information may encompass names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. Fractal ID also reached out to the affected users directly to notify them of the breach.
Julian, Julio, Lluis, and Anna, the co-founders of Fractal ID, conveyed their regret for the incident and underscored their dedication to safeguarding user data. They reiterated the organization’s objective of transitioning to a self-custody storage system in order to improve data security.
This security breach serves as a stark reminder of the challenges associated with data protection. On June 27, Autix10, a provider of crypto IDs, disclosed that their online administrative logon credentials had been compromised. Nevertheless, it appears that the perpetrator did not acquire any customer data in this case.