Fractal ID Data Breach: 6,300 Users’ Data Leaked

Blockchain identity platform Fractal ID has published a postmortem report on a data breach that hit the company on July 14. The report reveals that the breach can be traced back to a 2022 incident in which an employee reused a compromised password.

Circumventing internal data privacy systems

The compromised account, which had been owned by an operator on the platform for three years and had administrative privileges, allowed the attacker to bypass internal data privacy systems. However, thanks to system monitoring, the attacker was locked out within 29 minutes.

The operator’s failure to adhere to operational security policies and training, along with the reuse of credentials from previous hacks, facilitated the breach. On July 14, Fractal ID detected unusual activity in one of its back offices, leading to the discovery of the attack and data exfiltration for approximately 0.5% of the user base.

Actions against senior employees

In response to the incident, Fractal ID disabled all accounts in the compromised system and restricted access to senior employees. The company also prioritized improving its security measures, including request throttling, finer-grained authorization, stricter monitoring of failed authentication attempts, and tighter IP control.

In addition to various internal measures, Fractal ID has contacted relevant data protection authorities and the cybercrime police in Berlin. The company is also reportedly working with cybersecurity services to monitor the possible distribution of stolen data on known data breach sites.

According to the report, the stolen data, which affected approximately 6,300 users, included various levels of information, from proof of identity checks to full KYC checks. This data may include names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. Fractal ID immediately notified affected users about the breach.

Data protection challenges underscored

Fractal ID co-founders Julian, Julio, Lluis, and Anna expressed their regret over the incident and emphasized their commitment to protecting user data. They reiterated the company’s goal to move to a self-managed storage system to improve data security.

This incident underscores the challenges of data protection. Recently, on June 27, another crypto ID provider, Auix10, announced that its online administrative credentials had been exposed. In that case, however, the attacker did not appear to gain access to customer data.