Security researchers Noam Rotem and Ran Locar discovered that YouHodler exposed thousands of financial information without users knowing. The research team found the database leak as part of its web-mapping project.
YouHolder is a cryptocurrency lending platform which claims that it had served over 3,500 customers. It also claims to have provided more than $10 million loans to its customers.
According to a report published by Tech Crunch, the YouHodler database contained 86 million records. The researchers revealed the cause of the leak stemmed from the company’s failure to issue password protection for its server. Rotem and Locar’s research team also discovered computer logs and commands as well as user histories and interactions.
Aside from the user histories, personal user information such as customer names, credit card numbers, and expiry dates remained unencrypted. Other compromised information available for hackers included credit verification numbers, addresses, bank accounts, transaction amounts, and SWIFT codes.
The team also revealed that the unencrypted data contained some phone numbers and passport information. Birthdays, nationalities, crypto wallet addresses, and ID numbers also remained visible during the breach. Based on the findings of Rotem and Locar, countries affected include Canada, France, Russia, the UK, and the United States.
In total, the database housed more than 86 million records from the data lending firm. This includes records from successful transactions or loan approvals.
Tech Crunch says the researchers find “information included in the database makes stealing a user’s identity a simple task.” However, in VpnMentor’s own blog post, the researchers revealed that despite the massive error by YouHodler, “no one was affected.”
VpnMentor states that it immediately contacted YouHodler last July 22, 2019. CoinDesk notes that company replied a day later, on July 23, 2019. The company also proceeded to fix the issue.
Without the immediate action of the cryptocurrency platform, researchers believe the unencrypted server could result in “serious consequence” to customers.
CoinDesk reports that the crypto lending startup issued a statement regarding the hot issue. It said that it “understands user data is potentially at risk of being compromised from outside the platform.” Following this, the company implemented two-factor authentication and email verification to ensure “there’re no vulnerabilities in our systems.”
Tech Crunch reached out to the crypto startup’s chief executive officer Ilya Volkov for a follow-up statement about the incident. However, the news site states the company did not reach out for further comments regarding the issue.
