Crypto Trading Platform ‘BuyUcoin’ Leaked the Sensitive Data of Its Entire Userbase

  • BuyUcoin suffered an undisclosed data breach, which was the result of a hacker accessing its MongoDB backups.
  • The platform hasn’t notified the compromised users even though the exposure contained very sensitive information.
  • The potential for exploitation is wide and deep, including account takeovers, phishing attacks, and banking fraud.

Cryptocurrency investing, trading, and management platform ‘BuyUcoin’ has blundered hugely, as they failed to secure their MongoDB instance properly and had 6 GB of sensitive user details exfiltrated by hackers. In total, 350,000 cryptocurrency holders have had their full names, IFSC codes, bank account numbers, PAN numbers, email addresses, KYC details, phone numbers, wallet details, and deposit history exposed.

Weirdly, this trove of data is currently being shared on the dark web for free, so a large number of malicious actors are engaging in its exploitation.

Source: @rajaharia | Twitter

We have received the tip about this from independent security researcher Rajshekhar Rajaharia, who told us that the database was actually containing three monthly backups, ranging from June to September 2020. Thus, if you have registered to the platform at a later date, chances are you aren’t affected by this incident. For those who are, though, the implications are quite dire, as the database contains everything a malicious actor could have possibly asked for.

BuyUcoin has chosen not to disclose the data breach that resulted in this exposure, either because they didn’t realize they had a security breach or because they aren’t obliged by any laws in India (where they’re based) to disclose such events publicly. Either way, this was far from the ideal response to the incident, as people had the right to know about such a severe exposure as soon as possible.

The implications range from “simple” scamming attacks and phishing attempts to falling victim to banking fraud and impersonation actors. As for the cryptocurrency assets, this is a blurry area right now. The passwords in the database were encrypted, but we don’t know if BuyUcoin used a strong algorithm. Also, having your wallet details leaked isn’t good for security, no matter how you see it.

And as for the reason why this database is being shared for free, even though it contains such valuable information, this may have various explanations. Most likely, though, it is done by hackers who want to punish companies that choose not to disclose grave security incidents to their userbase and act unethically - even after being warned by the hackers that taking that path is futile.

Oftentimes, the ethical compass of the hackers who perform the breach is what eventually compels them to share the incident with the rest of the world, smashing the stereotype that hunts them while destroying people’s trust in the affected company.

Latest
How to Watch Welcome to Flatch Season 2 Online From Anywhere
Welcome to Flatch is landing a new season soon, and we are happy to tell you it's super easy to stream online,...
How to Watch CSI: Vegas Season 2 Online From Anywhere
There is great excitement among CSI fans worldwide as CSI: Vegas Season 2 is finally set to premiere soon. After the success...
How to Watch Hell’s Kitchen Season 21 Online From Anywhere
Are you ready to get back into Hell's Kitchen? Gordon Ramsay is returning for the 21st season on Fox, and we're eager...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]