No funds lost in BlockFi data breach

BlockFi recently made its clients aware of a breach through a memo. The breach impacted less than half of the firm’s retail clients and none of its institutional clients. The data that was accessed includes user names, email addresses, dates of births, addresses, and activity history.
More sensitive information such as bank account details, social security, and tax identification numbers, passport and driver’s license numbers, and photo scans were not exposed.

“While no information was accessed that would enable the intruder to access your account or your funds, we believe it is in the interest of transparency to share the following details with you, and all of our other clients who were potentially affected," the company stated.

In an incident report published at the same time, BlockFi described how the hacker was able to gain access to the companies internal systems. An employee of the company was the victim of a SIM card swap attack, which is when a mobile phone operator is tricked into activating a user’s phone number on another device.

The SIM card swap attack allows the attacker to thwart SMS two-factor authentication, as texts now are received by the falsely authorized device. The attacker was able to use this to gain access to some parts of the company’s internal systems.

This attack vector is well known in the cryptocurrency industry, and there have been many previous incidents of this attack taking place. The most infamous case is that of Michael Terpin, who had almost $24 million USD worth of cryptocurrency stolen from him after a SIM card swap attack.

"A BlockFi employee’s phone number was breached and utilized by an unauthorized third party to access a portion of BlockFi’s encrypted back-office system," the incident report reads. "The unauthorized third party was able to access BlockFi client information typically used by BlockFi for retail marketing purposes throughout the duration of this incident."

The incident report also states the hacker had tried, though unsuccessfully, to make withdrawals of user funds before BlockFi was able to remove them from the system. The firm said it "quickly terminated the intruder’s access to BlockFi’s internal system" and that every action the unauthorized third party took with respect to the BlockFi systems was logged.

In response to the data breach, BlockFi stated, "We are constantly reviewing and improving our systems and security processes and will be accelerating efforts in a number of areas as a result of this activity. In addition to the ongoing development of our systems, we are actively researching options for us to contribute to the cybersecurity efforts of the cryptocurrency industry more broadly."

Data breaches are a fairly common occurrence within the cryptocurrency market due to the unique properties of the assets that can be stolen. If a hacker can gain access to a user’s account and drain their funds, there is no way to revert the action.

Tracking of the funds once they leave the users’ account is also difficult, which makes cryptocurrency users an ideal target for hackers. Although information such as email addresses and date of births may not be enough on their own to hack an account, they do provide more context for a hacker that may assist in the eventual theft of funds.