QuickBit, a cryptocurrency exchange listed in Sweden, confirmed on Monday reports of a security breach that left many of its customer records exposed.

Reporting for Comparitech, tech writer Paul Bischoff claimed that a database containing more than 300,000 customer records was left open so “anyone online could view its contents”.

QuickBit sells cryptocurrency to customers who are able to pay for purchases with credit cards. Although some of these details could be seen, the company insisted in an update on its blog that full card information was not exposed.

Third-Party System Delivery

The security breach occurred during the delivery of a new third-party supplied system for customer screening. QuickBit said in a press release:

In connection with the delivery of this system, it has been on a server that has been visible outside QuickBit's firewall for a few days, and thus accessible to the person who has the right tools.

The database included information about customers’ names, addresses, email details and truncated credit card information [first six and last four digits] for “approximately 2% of Quickbit’s customers – around 300,000 people, according to Bischoff’s report.

No Harm to Company or Customers

QuickBit stressed the following details had not been included in the security breach:

  • No passwords or social security numbers have been exposed
  • No complete account or credit card information has been exposed
  • No cryptocurrency or keys for this have been exposed
  • No financial transactions have been affected

It added:

QuickBit's technicians have immediately taken steps to ensure that all servers are protected behind firewalls, and prevent the possibility of similar incidents. We want to emphasize that the data that has been accessed cannot be used to harm either the company or its customers.

How it Happened

Bischoff, along with security researcher Bob Diachenko, discovered that a MongoDB database – a specially developed system for handling documentation –  had been left exposed on July 2 and immediately notified QuickBit by email. The database was pulled offline within 24 hours of this notification.

While QuickBit insisted its customers were safe and that their full credit card numbers had not been exposed, fraudsters can use some of the personal information that was available to conduct phishing attacks and could make hacking attempts easier.

QuickBit said the supplier of the third-party system was involved in assessing data security and that it would publish a public version of the incident report on its website shortly.