For just under 90 minutes last Thursday, hackers were able to compromise the systems of cryptocurrency lending platform BlockFi, and gain unauthorised access to users’ names, email addresses, dates of birth, address and activity history.
In an incident report published on its website, BlockFi was keen to stress that the hacker’s activity had been logged and as such it was “able to confirm that no funds, passwords, social security numbers, tax identification numbers, passports, licenses, bank account information, nor similar non-public identification information” had been exposed.
That’s obviously a relief, but there are still plenty of bad things that could be done by anyone maliciously-minded who came across the information that was successfully accessed by the hacker.
So, how did the hacker gain access to BlockFi?
According to the crypto-lending platform, one of its employees was targeted by criminals who conducted a SIM swap attack, hijacking control of the worker’s phone number.
SIM swap attacks (also sometimes called Port Out scams) typically see a fraudster successfully trick a cellphone operator into giving them control of a target’s phone number.
That doesn’t just mean that a fraudster will now be getting phone calls intended for the victim. They will also be receiving SMS messages – which may include the tokens used by some systems in an attempt to authenticate a user logging into a system is who they say they are.
SIM swap attacks have become more common in recent years, and as a result there has been a concerted effort by many to push for more secure methods of authentication than a token sent via an SMS message. This is something that cryptocurrency-related firms should be particularly aware of, considering the past theft of many millions of dollars.
With the BlockFi employee’s phone number under their control, the hacker was able to gain access to reset the worker’s email password, and gain access to their email account, and then exfiltrate data about customers and attempt (unsuccessfully) to make unauthorised withdrawals of BlockFi clients’ funds.
BlockFi says it took rapid action, suspending the affected employee’s access to prevent further misuse, and putting “additional identity controls for all BlockFi employees” in place.
By doing this, BlockFi says it was able to prevent a second attempted attack by the hacker.
“Due to the nature of the information that was leaked, we do not believe there is any immediate risk to BlockFi clients or company funds,” says BlockFi.
I’m not sure I’d agree with that. Sure, the most sensitive information has not been stolen but email addresses, names and addresses, dates of birth, and so on can all be leveraged by scammers and can make a phishing attack appear so much more convincing.
BlockFi’s advice for customers is to enable multi-factor authentication on their accounts to make them more difficult for a hacker to breach, and to activate a list of approved wallets to which funds can be transferred.