TLDR
- Blockchain identity platform Fractal ID suffered a data breach on July 14, 2024.
- Approximately 0.5% of Fractal ID’s user base (about 50,000 users) was affected.
- The breach exposed sensitive personal information including names, email addresses, wallet addresses, and images of uploaded documents.
- Gnosis Pay was among the affected protocols and alerted its users about the breach.
- The attacker gained access through an operator’s account, potentially using a password obtained from other hacks.
Fractal ID, a blockchain-based digital identity verification service, has reported a data breach that occurred on July 14, 2024. The incident has raised concerns about the security of personal information in the rapidly evolving Web3 ecosystem.
According to Fractal ID’s notice, an unauthorized third party gained access to an operator’s account and ran an API script that extracted users’ personal data. The breach lasted for approximately two hours and 14 minutes, from 05:14 AM to 07:29 AM UTC, before the team detected the intrusion and logged the attacker out of the system.
Wonder what data leaks when one of the hundreds of KYC service providers out there suffers a data breach
Well let's see what @Fractal_ID says about their leaked data
NAMES, EMAILS, PHONE NUMBERS, PHYSICAL ADDRESSES, CRYPTO WALLETS, SCANS OF ALL PHYSICAL DOCUMENTS(passport etc) pic.twitter.com/twFDjV8Err
— Lefteris Karapetsas | Hiring for @rotkiapp (@LefterisJP) July 17, 2024
While Fractal ID stated that only about 0.5% of its user base was affected, this still amounts to roughly 50,000 users, given the company’s claimed user base of around 1 million.
The compromised data potentially includes names, email addresses, wallet addresses, phone numbers, physical addresses, and images of uploaded documents such as passports and driving licenses.
Julian Leitloff, co-founder of Fractal ID, confirmed the breach to The Block, stating,
“A single operator account got breached and as a result, we noticed suspicious activity on Sunday morning. We immediately stopped access and could identify the cause which was later verified with external support.”
Leitloff suggested that the attacker might have gained entry using a “siphoned password gained from other hacks.”
The incident has affected several Web3 projects that use Fractal ID for Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. Gnosis Pay, a decentralized payment network, was among the first to alert its users about the breach. In an email to customers, Gnosis Pay stated that it was made aware of the breach by Fractal ID on July 15, 2024.
Other potentially affected projects include Polygon ID, Ripple, XRP Ledger, Avalanche, Near, Aurora, Acala, Polymath, BNB Chain, Lukso, Aleph Zero, and Arbitrum Foundation. However, the full extent of the impact on these platforms remains unclear.
The breach has drawn criticism from members of the crypto community. Blockchain investigator ZachXBT questioned Fractal ID’s ability to secure user data and suggested that teams using their product should consider alternatives.
I hope all of these teams move away from using your product.
Your team had one job of securing user data and could not even do that properly.
Why should anyone ever continue to do business with you? https://t.co/9jlZzzZpqJ pic.twitter.com/RhfTmie0ja
— ZachXBT (@zachxbt) July 18, 2024
This incident highlights the ongoing challenges of data security in the blockchain and cryptocurrency space, particularly for services that handle sensitive personal information.
While blockchain technology often promises enhanced security and user control over data, this breach demonstrates that centralized points of failure can still exist in Web3 infrastructure.
Fractal ID has stated that it has taken immediate action to mitigate the breach’s impact and implemented additional security measures. The company has also reported the incident to relevant data protection authorities and the cybercrime police division.
Users affected by this breach are advised to remain vigilant, monitor their accounts closely, and consider updating their security measures across various online services to mitigate potential risks.
The compromised data could potentially be used for phishing attacks, identity theft, or other malicious activities.
