Crypto Trading Platform ‘BuyUcoin’ Leaked the Sensitive Data of Its Entire Userbase

  • BuyUcoin suffered an undisclosed data breach, which was the result of a hacker accessing its MongoDB backups.
  • The platform hasn’t notified the compromised users even though the exposure contained very sensitive information.
  • The potential for exploitation is wide and deep, including account takeovers, phishing attacks, and banking fraud.

Cryptocurrency investing, trading, and management platform ‘BuyUcoin’ has blundered hugely, as they failed to secure their MongoDB instance properly and had 6 GB of sensitive user details exfiltrated by hackers. In total, 350,000 cryptocurrency holders have had their full names, IFSC codes, bank account numbers, PAN numbers, email addresses, KYC details, phone numbers, wallet details, and deposit history exposed.

Weirdly, this trove of data is currently being shared on the dark web for free, so a large number of malicious actors are engaging in its exploitation.

Source: @rajaharia | Twitter

We have received the tip about this from independent security researcher Rajshekhar Rajaharia, who told us that the database was actually containing three monthly backups, ranging from June to September 2020. Thus, if you have registered to the platform at a later date, chances are you aren’t affected by this incident. For those who are, though, the implications are quite dire, as the database contains everything a malicious actor could have possibly asked for.

BuyUcoin has chosen not to disclose the data breach that resulted in this exposure, either because they didn’t realize they had a security breach or because they aren’t obliged by any laws in India (where they’re based) to disclose such events publicly. Either way, this was far from the ideal response to the incident, as people had the right to know about such a severe exposure as soon as possible.

The implications range from “simple” scamming attacks and phishing attempts to falling victim to banking fraud and impersonation actors. As for the cryptocurrency assets, this is a blurry area right now. The passwords in the database were encrypted, but we don’t know if BuyUcoin used a strong algorithm. Also, having your wallet details leaked isn’t good for security, no matter how you see it.

And as for the reason why this database is being shared for free, even though it contains such valuable information, this may have various explanations. Most likely, though, it is done by hackers who want to punish companies that choose not to disclose grave security incidents to their userbase and act unethically - even after being warned by the hackers that taking that path is futile.

Oftentimes, the ethical compass of the hackers who perform the breach is what eventually compels them to share the incident with the rest of the world, smashing the stereotype that hunts them while destroying people’s trust in the affected company.

REVIEW OVERVIEW

Latest

How to Watch MasterChef Season 12: Back to Win Online From Anywhere

MasterChef is returning for its twelfth season, which will be an all-star season where contestants will be returning for a second chance...

How to Watch The Great American Tag Sale With Martha Stewart Online From Anywhere

Are you ready to see the fabulous Martha Stewart in a great American tag sale? This new show will premiere soon, and...

How to Watch Expedition Unknown Season 10 Online From Anywhere

Discovery's 'Adventure Wednesday' lineup is back this summer, and viewers will be treated to all-new episodes of the reality television series Expedition...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari