Large troves of personal and sensitive data belonging to investors on crypto-currency exchange BuyUCoin has been leaked on the dark web. The data leak was uploaded on Wednesday night by the notorious hacking group ShinyHunters and pertains to a backup of the crypto-exchanges database in September 2020. However, in response to queries sent by MediaNama, BuyUCoin refuted the allegations stating that only a limited amount of data was compromised and that it was immediately recovered and secured by the company’s automated security systems.
Cyber-security researcher Rajshekhar Rajaharia told MediaNama that the data leak contains sensitive information like users’ name, email address, mobile numbers, password, crypto-wallet details, order details and deposit history. Further, screenshots of the leak reveal that bank account details including the bank name, account number, IFSC code and type of account has been exposed in the data dump, in addition to Know-Your-Customer (KYC) information collected by BuyUCoin.
“ShinyHunters was responsible for other data dumps belonging to Indian companies like Juspay and BigBasket. While this group usually puts up the data on the dark web for sale, this time they have uploaded the files for free. Even my account details were leaked,” Rajaharia said. “The data contained in a MongoDB database was backed up by the group in June, July and September last year,” he said. Rajaharia added that a quick look of the data dump, around 6GB large, shows that 3.25 lakh users’ details may have been leaked, although there could be repetitions in the file.
According to a source close to the development, BuyUCoin has around 2.9 lakh users of which 95,000 have completed the full-KYC requirements and around 40,000 actively trade on the platform. This person spoke on the condition of anonymity.
“In the mid of 2020, while conducting a routine testing exercise with dummy data, we faced a ‘Low Impact Security Incident’ in which non-sensitive, dummy data of only 200 entries was impacted. We would like to clarify that not even a single customer was affected during the incident,” BuyUCoin said.
The New-Delhi based crypto-exchange was founded by 2016 by Atulya Bhatt, Devesh Agarwal and Shivam Thakral. Last year, it expanded globally after it received an operating license in Estonia and has partnered with payments wallet MobiKwik allowing users to buy crypto-currencies through their credit and debit cards, MobiKwik wallet, and net banking. According to CoinGecko, the exchange processes around $3 million worth of trades on a daily basis as of date.
“We would like to assure our customers that all the transactions on our platform take place in a highly encrypted environment. Our technical team constantly conducts routine security checks to ensure that our customer data is completely secure. We are aware of the high level security threats which exists in today’s world and we continuously upgrade our software and systems to neutralize such malicious and unlawful cyberattacks,” BuyUCoin said.
BuyUCoin upgrades security standards
In an updated statement on Friday, BuyUCoin said that it is “thoroughly investigating each and every aspect of the report about malicious and unlawful cybercrime activities” that foreign entities undertook last year. The company has upgraded its security standards and has enabled a three-factor-authentication system for users’ trading accounts.
The company says that users should have a strong password and use OTPs for account verification, they should use Google’s 2FA authentication system and enable a six-digital trading pin for transaction verification. Further, every transaction on the crypto-exchange will now require an OTP verification sent to the users’ email address, it said.
“All our user’s portfolio assets are safe and sound within a secure environment. 95% of user’s funds are kept in cold storage, inaccessible to any server breach. Based on the internal investigation, we will be keeping you updated with the proceedings and conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security,” the company said.
- Amid numerous scams, Indian Crypto-Currency industry readies code of conduct
- Indian crypto currency trading volumes grow 500% since March
- Crypto firms invited to participate MEITY backed accelerator program
(Updated January 22, 2021 3:05 pm. Updated with statement from BuyUCoin on upgrades to its security standards. Originally published January 22, 2021 at 11:44 am)