Home Kripto Fractal ID’s Data Breach Linked to 2022 Password Reuse Incident
Kripto

Fractal ID’s Data Breach Linked to 2022 Password Reuse Incident

Fractal ID’s Data Breach Linked to 2022 Password Reuse Incident

Fractal ID, a blockchain identity verification platform, recently published a detailed postmortem on a data breach that compromised user information. The breach occurred on July 14, 2024, but its origins can be traced back to an earlier incident in 2022 involving the reuse of a compromised password by an employee.

Analysis of the Breach

The compromised account belonged to an operator who had been with the platform for three years and possessed administrative rights. This level of access allowed the attacker to circumvent internal data privacy systems. However, thanks to vigilant system monitoring, the breach was contained within 29 minutes of its initiation.

Upon detecting unusual activity in its back office systems, Fractal ID acted swiftly to identify and mitigate the attack. The company immediately disabled all accounts in the compromised system and restricted access to senior employees only. These decisive actions helped limit the breach’s impact to approximately 0.5% of its user base, affecting around 6,300 users.

Enhanced Security Post-Breach

In the aftermath, Fractal ID implemented several security enhancements to prevent future incidents. These measures included:

  • Request throttling to limit the number of requests a user can make to the system.
  • Finer-grained authorization controls to ensure users can only access what they need.
  • Tighter monitoring of failed authentication attempts to quickly identify potential threats.
  • Stricter IP control to restrict access based on geographic locations.

Fractal ID reported the breach to the appropriate data protection authorities and the cybercrime police division in Berlin. The company also engaged cybersecurity services to monitor the internet for any potential distribution of the stolen data.

The stolen data included sensitive information ranging from proof-of-personhood checks to complete KYC checks. This encompassed names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. Fractal ID has proactively contacted affected users to inform them about the breach and advise on protective measures.

Leadership’s Commitment and Future Plans

Fractal ID’s co-founders, Julian, Julio, Lluis, and Anna, expressed deep regret over the incident and reaffirmed their commitment to user data protection. The leadership team announced plans to transition to a self-custody storage system, which will further enhance data security by giving users direct control over their personal information.

The incident at Fractal ID follows a similar breach at Autix10, another crypto ID provider, which occurred on June 27. While Autix10’s breach involved exposed administrative login details, no customer data was reportedly accessed, highlighting varying outcomes in the crypto industry’s security incidents.

Fractal ID’s experience underscores the ongoing challenges in data security within the cryptocurrency industry. The breach serves as a reminder of the importance of robust security practices, particularly concerning password management and system access controls. As the platform moves forward, its enhanced measures and shift towards self-custody storage are steps towards regaining user trust and strengthening its security posture.

Related Articles

Former Attorney, 86, Ordered to Pay  Million for Role in Crypto Ponzi Scheme
Kripto

Former Attorney, 86, Ordered to Pay $14 Million for Role in Crypto Ponzi Scheme

David Kagel, an 86-year-old former California attorney, has been sentenced to five...

OpenAI Partners with Hearst to Bring Content from 60+ Publications to ChatGPT
Kripto

OpenAI Partners with Hearst to Bring Content from 60+ Publications to ChatGPT

OpenAI has entered into a new partnership with Hearst, the company behind...

Crypto.com Initiates Legal Action Against SEC to Safeguard U.S. Cryptocurrency Sector
Kripto

Crypto.com Initiates Legal Action Against SEC to Safeguard U.S. Cryptocurrency Sector

Crypto.com, a major player in the global cryptocurrency exchange and service industry,...

Singapore sets April 2025 deadline for digital bunker notes rollout
Kripto

Singapore sets April 2025 deadline for digital bunker notes rollout

Singapore’s marine fuel suppliers will be required to provide digital bunkering services...