Cryptocurrency loans platform YouHodler left millions of records containing private financial data from thousands of users exposed online, researchers found.
In a blog post, vpnMentor said its research team, led by Noam Rotem and Ran Locar, discovered a database leak as part of their web-mapping project and traced it back to YouHodler.
The data, they found, exposed comes to more then 86 million records that includes users’ names, email addresses, home addresses, phone numbers and birthdays. It gets worse. Credit card numbers, CVV numbers, bank details and crypto wallet addresses were also exposed in the data.
“The implications of this breach are extensive,” said the firm.
VpnMentor said it had contacted YouHodler on July 22, which responded a day later and fixed the issue.
YouHodler’s website indicates that it has served over 3,500 customers and provided over $10 million in loans.
In its own blog post on the breach, YouHodler claimed the exposed files “did not contain any sensitive information and no one was affected.”
The first part of that statement flies in the face of the researchers’ findings, however. Rotem and Locar provided screengrabs of the data (with portions hidden to conceal user data) that seem to back up the claim that they were able to find CCVs (top image) and card numbers (bottom image) in the logs.
The team said “The first example shows that we still found all of the details needed to take full control of the card – including CVV numbers.”
They added that, while the card holder’s name isn’t displayed in either of these logs, “numerous other records stored both names and credit card numbers together.”
The researchers further found data allowing them to link users’ names to bitcoin wallet addresses.
According to vpnMentor:
“The nature of the data that leaked from YouHodler’s database could have serious consequences. Any platform that stores credit card data should be taking several security precautions. If YouHodler only stored the BIN and last four digits of user credit cards, there wouldn’t be as much of an impact in this regard.”
YouHodler said that it “understands user data is potentially at risk of being compromised from outside the platform,” continuing:
“We do our best to prevent that from happening by implementing two-factor authentication and email verification. We are sure that all security settings are checked and renewed and there’re no vulnerabilities in our systems.”
It seems its “best” wasn’t good enough in this case.