A privacy flaw on the crypto lending platform YouHodler exposed millions of records worth of financial data belonging to several thousand clients in a total breach of privacy.
YouHodler Client Data Exposed
According to a report published by vpnMentor on July 24, researchers discovered that users of the crypto lending platform YouHodler were at risk of having their financial information exposed to the internet.
A major #Cryptocurrency #databreach— vpnMentor (@vpnmentor) July 24, 2019
We found an open database of @YouHodler, one of the first #FinTech platforms that help convert crypto holdings, with full credit card information and all the data to connect anonymous crypto wallets to their owners>>https://t.co/kE3hbPspT5
vpnMentor’s research team published a blog post outlining how the platform exposed a “huge” amount of data. The researchers claim that the breach in privacy involved over 86 million records, including,
“users’ full names, email addresses, addresses, phone numbers, birthdays, credit card numbers, CVV numbers, full bank details, and in some cases crypto wallet addresses.”
Following the discovery of the breach, vpnMentor reports reaching out to YouHodler on July 22, with the privacy flaw being corrected the next day.
The data breach is beyond extensive, particularly for a company that purports to be an industry leader in crypto loans and conversions. YouHodler was one of the first financial platforms to help users convert crypto into traditional fiat currencies and also provides the ability to take out crypto-based loans.
According to the company’s website, YouHodler has processed $10 million in transactions for over 3500 clients and operates in more than 35 countries.
vpnMentor first discovered a breach in privacy when they noticed that YouHodler was storing client CVV numbers (used for credit card verification) under the tag 'identity'.
A sample of the user data discovered in the security breach. | Source: vpnMentor
It gets worse. The post explains that in addition to the ease in finding user information, little precaution was taken to conceal it.
“Furthermore, these numbers were entirely unencrypted."
The research team claims it was a “small leap” from finding the CVV numbers to the rest of the users’ card information, including name, expiration date, and full card number, which was stored as plain text.
Severity of the Breach
In addition, user accounts were linked to bitcoin wallet addresses. While vpnMentor points out that bitcoin is on a blockchain ledger, and therefore publicly available, the information is usually presented through anonymity. Instead, full user details, including name and email address, were available if hackers were to start targeting large wallet accounts.
The research team went on to describe the severity and implications of the breach,
“With full, unencrypted credit card numbers, CVV numbers, expiration dates, and cardholder names, a bad actor would have complete control over a user’s credit card. Furthermore, having storing CVV numbers is a violation of the PCI regulations imposed by credit card companies.”
vpnMentor claims to have discovered the flaw in YouHodler’s database as part of their “web-mapping project,” which involves looking for holes in a system after coming across an IP block.