Global: Fractal ID Postmortem Ties Breach to 2022 Password Hack

Blockchain identity platform Fractal ID has released a postmortem report detailing the data breach the company experienced on July 14, 2024. The investigation has traced the breach back to a 2022 incident where an employee reused a compromised password.

The compromised account belonged to a long-term operator with administrative rights, allowing the attacker to bypass Fractal ID’s internal data privacy systems. Despite this, the company’s system monitoring successfully locked out the attacker within 29 minutes.

Root Cause of the Breach

The breach occurred due to the operator’s failure to adhere to operational security policies and training, specifically the reuse of credentials from previous hacks.

On July 14, the crypto identity verification provider detected unusual activity in one of its back offices, which was quickly identified as a malicious attack. This led to data exfiltration affecting approximately 0.5% of its user base.

Immediate Response

In response to the breach, Fractal ID took swift action by disabling all accounts in the compromised system and restricting access to senior employees only. The company prioritized enhancing its security measures to prevent future incidents, including:

• Implementing request throttling
• Applying finer-grained authorization
• Tightening monitoring of failed authentication attempts
• Enforcing stricter IP control

Reporting and Collaboration

Fractal ID reported the breach to relevant data protection authorities and the cybercrime police division in Berlin. The company also engaged with cybersecurity services to monitor for any potential distribution of stolen data on known data breach sites.

Data Breach Impact

The breach impacted around 6,300 users, with stolen data ranging from proof-of-personhood checks to complete KYC checks. This included names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. Fractal ID has directly contacted affected users to inform them of the breach.

Commitment to Security

Fractal ID co-founders Julian, Julio, Lluis, and Anna expressed regret over the incident and emphasized their commitment to protecting user data. They reiterated the company’s goal of transitioning toward a self-custody storage system to enhance data security.

This incident serves as a stark reminder of the challenges in safeguarding data. Similarly, Autix10, another crypto ID provider, revealed on June 27 that their online administrative login details were exposed. However, in their case, the attacker did not gain access to any customer data.