More than 5,000 email addresses and other personal information obtained from Canadian crypto exchange Coinsquare may be used in SIM swapping attacks.
Hackers got their hands on personal data on users from Coinsquare's database, and Vice's Motherboard cites one of the hackers saying that "the original intent was to sell it [the data] but we figured we would make more money by SIM swapping the accounts." These attacks include gathering personal information on a victim in a variety of ways, contacting the victim's mobile phone provider, utilizing the gained data to convince the company to port the victim's phone number to the attacker's SIM, and thus taking over all messages and voice calls, including the one-time passwords. It's not uncommon for one or more of these steps to be an inside job.
This hacker sent a version of the data stolen from Coinsquare to Motherboard, the article claims, which doesn't seem to contain passwords, but does come with more than 5,000 rows of users' email addresses, phone numbers, some physical addresses too, as well as a column titled "total $ funded first 6 months," which Vice believes could represent the amount in dollars put into a user's Coinsquare account in that period, and if Coinsquare marks the user as a "high value client."
Motherboard then proceeded to verify the data: using random email addresses from the list they tried making Coinsquare accounts and they weren't able to, suggesting the email is in use already, and they also contacted a number of people, with three confirming they are Coinsquare users, while two confirmed their phone numbers.
According to several Reddit posts, it would seem that the breach occurred sometimes in 2019, though a Twitter account 'Coinsquare Breach' suggests that it was a year earlier, in 2018. What they all have in common is the accusation against the exchange of not revealing the leak to the customers and the public.
Meanwhile, Vice quoted Stacey Hoisak, Coinsquare's general counsel, as saying that the data "was as obtained as the result of employee theft of information contained within a client relationship database used for prospecting." She said that the exchange became aware of it a year ago, and that they notified the affected users, as well as law enforcement and data protection authorities. They also replaced internal sales management systems, re-written data management policy, and upgraded its internal controls, Hoisak said.
She also suggested the company was not originally aware of the full extent of the breach, and after "Motherboard provided a limited set of screenshots of the data to Coinsquare so they could provide an informed statement, Hoisak characterized some of the information as additional User names.
Bitcoiners should try to limit the amount of KYC services they use and only use those that they trust intimately. When it comes to custodial privacy, users should choose their custodians very carefully. Your private information is valuable, start acting like it.
More importantly, employees should not access sensitive user data as easily.
Coinsquare said the data came not from a hack of its systems, but rather a now former employee stole the information.
The hackers also confirmed to Motherboard what many of the users speculated in Reddit posts, that they set out to embarrass the company for claiming they [were] the most secure Canadian exchange and obviously that is a lie.
We contacted Coinsquare for comment and will update should they reply.