Saturday, April 13, 2024

Crypto Loans Platform YouHodler Exposes Unencrypted Customer data that Includes Credit cards and Bank Details

Noam Rotem and Ran Locar with their research team found a database leak in YouHodler. YouHodler, A Crypto lending site offered an easy way for its users to apply for crypto-loans or turn their crypto-holdings into fiat currencies.

The breach has that more than 86 million records, including full customer names, email addresses, addresses, phone numbers, birthdays, credit card numbers, CVV numbers, complete bank details, and crypto wallet addresses in some cases, reads VPNMentor report.

YouHodler is considered to be one of the first Financial-Tech systems for customers to immediately transform their cryptographic assets to conventional currencies by using their crypto-holdings as collateral, users may also issue crypto-currency loans.

They transacted more than ten million dollars for 3500 clients, according to the YouHodler blog. The User Base of YouHodler covers over 35 nations worldwide like the United States, Canada, the United Kingdom, France and Russia are among the impacted nations.

Exposed Financial and Personal Data – YouHodler

Data included in the breach includes Full names, email addresses, Addresses, Phone numbers, Passport or ID numbers, Birthdays.

Passwords hashed with SHA-256, Credit card numbers, CVV numbers, Bank details, Crypto wallet addresses leaked due to this database breach are considered as the most valuable information.

It seems that YouHodler has stored users CVV numbers tagged them as “identity” without encrypting them. Initially, the research team was not able to get users complete card information however they got user’s BIN and last four digits of their cards. It was a small step to find the rest of the card data from the first example.

In this section, researchers found complete card number saved in plain text and its expiry date, but without a CVV number. The first example shows that researchers found all the data necessary to control the card in full, including CVV numbers.

Although the name of the cardholder is not included in any of these logs, several additional records have saved names and credit card numbers together.

An impersonator would have full ownership of a user’s credit card with full, unsecured credit card numbers, CVV digits, expiration dates, and cardholder names. This information could be used by impersonators for fraudulent activities can be used for the authentication process of user’s other accounts.

It could have severe implications for the type of information leaked from the YouHodler database. Any credit card information system that stores credit card data should take several safety measures. If YouHodler just saved the BIN and the last four digits of credit card number this would not have as much effect.

Logs found with information about user’s full name and address and with their bank details such as account number, SWIFT code, and the bank’s address as well.

It is ever dangerous to have the full address of a user, however when it’s linked to financial information the threat increases. This does not mean that users whose addresses were not disclosed are safe from theft.

A connection between a user’s wallet and their email address makes it simple to perform targeted phishing attempts for those with malicious intent.

This kind of breach also facilitates the tracking of customers using their crypto-holdings for illegal activity. Many conceal in attempt to undertake offenses behind the crypto’s anonymity and the dark web.

In addition to the direct theft and threats posed by the leak, stealing a user identity is a simple task thanks to the amount of the information contained in the database. The leaked data are capable of answering many identity verification questions.

Since a passport or ID number is also present, official documents can also be created and can be used for forgery and fraudulent activities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles