Cryptocurrency lending platform BlockFi revealed on May 19 that it had suffered a data breach on May 14, though no funds had been lost. Less than half of the platform’s clients had been subject to the breach, which occurred for about an hour.
The attack occurred after an attacker had compromised a BlockFi employee’s phone through a SIM swap attack, according to the incident report released by the New York based DeFi company. The confidential information that was accessed includes names, addresses, bank account details, tax ID numbers, and passport information.
The hacker had attempted to withdraw clients’ funds but had failed. The report reads,
The unauthorized third party was able to do this by obtaining unauthorized access to the employee’s phone and email via a cell phone network vulnerability. Based on the unauthorized third party’s actions, it appears that the perpetrator attempted to make unauthorized withdrawals of client funds using the BlockFi platform, but was unsuccessful in doing so.
As a countermeasure, BlockFi has stepped up security on the platform. It has now limited employee access to information related to retail marketing, and conducted security audits and penetration testing. It will also increase the frequency of testing.
The company does not believe that there are any immediate risks involved with funds. It does recommend that clients turn 2FA on and will improve its response system to tackle any unauthorized entries.
Data breaches have occurred before in the cryptocurrency market, with BitMEX in particular receiving a lot of criticism for a breach that occurred in November 2019.