BlockFi data breach can allow criminals to extort rich customers

 

BlockFi, a provider of crypto-currency loans, reported Tuesday that it suffered a data breach that may put some of its customers in physical danger.

According to its incident report, some of the company’s customer data was breached through a SIM card exchange attack on one of its employees.

The attackers successfully stole the email account and phone number used for the employee’s account verification procedure, allowing them access to BlockFi’s records.

AT&T seeks $200 million in damages for 2018 SIM exchange attack

SIM exchange attacks are the result of network operator vulnerabilities and are usually carried out by conspirators with access to telephone network equipment, although external intrusion techniques are also possible. This type of attack has been responsible for several high-profile exchange thefts, but usually targets the customers themselves.

Attackers allegedly tried to withdraw customer funds directly, but the attempts were unsuccessful, says BlockFi.

However, the attackers had full access to the customer data used as part of BlockFi’s marketing efforts.

Victim of SIM exchange sues Bittrex crypto exchange for $1 million in Bitcoin theft

The company emphasized that no „non-public identifying information“ was leaked, which would include bank account numbers, passwords or social security numbers.

However, the hackers gained access to the full names of customers, email addresses, dates of birth, and in particular, activity information and physical addresses.

Can victims be physically extorted?

BlockFi claims that there is no threat to the clients‘ funds in Bitcoin Circuit Review, Bitcoin Capital Review, Bitcoin Billionaire Review, Bitcoin Evolution Review, Bitcoin Investor Review, and writes: „Due to the nature of the information that was leaked, we do not believe that there is any immediate risk to BlockFi’s clients or the company’s funds.

However, address and activity data can expose affected users to extortion and physical theft.

BlockFi did not disclose what type of activity data was included in these databases and refused to answer Cointelegraph’s query on the subject, referring to the full incident report.

EXMO director released from kidnapping after paying $1 million ransom
An unidentified spokesperson only added: „we have received no further indications that an unauthorized third party has altered the information accessed at this time“.

However, it is easy to believe that simply reading the activity data would allow attackers to know the size of the customer’s account and the promises of guarantees. This type of data is crucial to any targeted marketing campaign.

Furthermore, BlockFi’s privacy policy explicitly states that this information is available for marketing use:

„We may use your personal information and information about how you use our services to send you promotional and other information. We may also use your personal information to perform analysis regarding your use of our services and products and the effectiveness of our marketing initiatives.

The connection between home address, customer activity on the platform and their identification data could allow criminals to accurately target victims of this attack to extort them for their crypto-currency.

This type of theft is not unknown, as a Singaporean man was reportedly kidnapped in January and forced to transfer the cryptomonies in his possession.