Fractal ID, a blockchain identity verification platform, recently published a detailed postmortem on a data breach that compromised user information. The breach occurred on July 14, 2024, but its origins can be traced back to an earlier incident in 2022 involving the reuse of a compromised password by an employee.
Analysis of the Breach
The compromised account belonged to an operator who had been with the platform for three years and possessed administrative rights. This level of access allowed the attacker to circumvent internal data privacy systems. However, thanks to vigilant system monitoring, the breach was contained within 29 minutes of its initiation.
Upon detecting unusual activity in its back office systems, Fractal ID acted swiftly to identify and mitigate the attack. The company immediately disabled all accounts in the compromised system and restricted access to senior employees only. These decisive actions helped limit the breach’s impact to approximately 0.5% of its user base, affecting around 6,300 users.
Enhanced Security Post-Breach
In the aftermath, Fractal ID implemented several security enhancements to prevent future incidents. These measures included:
- Request throttling to limit the number of requests a user can make to the system.
- Finer-grained authorization controls to ensure users can only access what they need.
- Tighter monitoring of failed authentication attempts to quickly identify potential threats.
- Stricter IP control to restrict access based on geographic locations.
Fractal ID reported the breach to the appropriate data protection authorities and the cybercrime police division in Berlin. The company also engaged cybersecurity services to monitor the internet for any potential distribution of the stolen data.
The stolen data included sensitive information ranging from proof-of-personhood checks to complete KYC checks. This encompassed names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. Fractal ID has proactively contacted affected users to inform them about the breach and advise on protective measures.
Leadership’s Commitment and Future Plans
Fractal ID’s co-founders, Julian, Julio, Lluis, and Anna, expressed deep regret over the incident and reaffirmed their commitment to user data protection. The leadership team announced plans to transition to a self-custody storage system, which will further enhance data security by giving users direct control over their personal information.
The incident at Fractal ID follows a similar breach at Autix10, another crypto ID provider, which occurred on June 27. While Autix10’s breach involved exposed administrative login details, no customer data was reportedly accessed, highlighting varying outcomes in the crypto industry’s security incidents.
Fractal ID’s experience underscores the ongoing challenges in data security within the cryptocurrency industry. The breach serves as a reminder of the importance of robust security practices, particularly concerning password management and system access controls. As the platform moves forward, its enhanced measures and shift towards self-custody storage are steps towards regaining user trust and strengthening its security posture.