Gnosis Pay and other crypto projects impacted in Fractal ID data breach
Quick Take Approximately 0.5% of decentralized identity startup Fractal ID’s 1 million customers were implicated in a data breach on Sunday, Gnosis Pay CEO Julian Leitloff told The Block. The project maintains personally identifiable information, including users’ names, proof of residence and IDs. Gnosis Pay is among the affected protocols, according to an email sent to users. Leitloff said it’s unclear how the attacker gained entry, though suspects it is related to a “siphoned password gained from other h
Decentralized payment network Gnosis Pay alerted users on Wednesday about a data breach at Fractal ID, the customer verification service it has used since at least 2019, according to a customer service email seen by The Block. Gnosis is likely not the only Web3 company affected.
“At 7:30 PM CET, Monday, 15th July 2024, our Know Your Customer (KYC) service provider Fractal ID made the Gnosis Pay team aware that it had suffered a data breach on Sunday 14th July 2024,” the Gnosis Pay team wrote.
Gnosis Pay CEO Julian Leitloff confirmed reports of the exploit to The Block. “A single operator account got breached and as a result, we noticed suspicious activity on Sunday morning. We immediately stopped access and could identify the cause which was later verified with external support,” he said in a direct message. Approximately 0.5% of Fractal ID’s 1 million users were affected, Leitloff said.
Like other KYC and anti-money laundering (AML) service providers, the Berlin-based Fractal ID, founded in 2017, collects and stores sensitive data for users, called personally identifiable information, including their name, residence, email address, “a Liveness Detection Selfie Scan” and documents like passports and licenses.
Fractal ID provides compliance assistance for at least eight crypto protocols including Polygon, Ripple and Near and over 250 companies among its clientele, according to its website .
“The attack wasn't Gnosis specific, but specific to the operator's account access. The system itself was not impacted but this account, meaning every user that account had access to,” Leitloff said.
In a screenshot of an email from Fractal ID posted to X, the company said that one of its engineers discovered an attacker had gained access to a Fractal ID operator’s account, enabling them to run an API script to access users’ data. Fractal ID said it stopped the exploit in just over two hours.
“Fractal KYC requires showing proof of ID and residence proof etc. I used this for Optimism retro KYC and Thrive/Arbitrum KYC,” X user @arlery, who posted Fractal ID’s email , said. “The fact that they’ve been compromised is so alarming.”
Leitloff said it's unclear how the attacker gained entry, though the company suspects it is related to a “siphoned password gained from other hacks.”
Users’ “sensitive data is encrypted with a state-of-the-art security process,” the company wrote in a blog . Leitloff said that although the company offers a decentralized identity product, it uses centralized databases to store client data. This is "not a legal requirement per se but what today most regulated entities require" because local storage on users' computers "would definitely not work."
Fractal ID, built on Polkadot DOT -1.43% , was also one of the main developers of the open-source digital ID operating system idOS, built to enable users to manage their own identity across the Web. It received backing from both Enterprise Singapore and the German government and has raised nearly $8 million, according to PitchBook .
Fractal ID has not yet disclosed the data breach on social media, its blog or website, however Leitloff told The Block the exploit only affected a fraction of Fractal ID’s user base.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Decentralized AI Gets a Boost as SingularityNET Partners with Mina Foundation
MVLUSDT now launched for futures trading and trading bots
Bitget has launched MVLUSDT for futures trading with a maximum leverage of 20, along with support for futures trading bots, on November 29, 2024 (UTC+8). Welcome to try futures trading via our official website (www.bitget.com) or Bitget APP. MVLUSDT-M perpetual futures: Parameters Details Listing t
Nansen: Pantera Capital increased its holdings of ENA by $8 million in the past 24 hours