Transak, a Miami-based fiat-to-crypto payment gateway used by Metamask, Trust Wallet, Coinbase, Ledger, among other blockchain platforms, disclosed on Monday it suffered a data breach affecting 1.14% of its users.
“We have recently identified that an attacker gained unauthorized access to one of our employee’s laptop through a sophisticated phishing attack. Using the compromised credentials, the attacker was able to log in to the system of a third-party KYC vendor that we use for document scanning and verification services,” the company explained in a blog post.
The attacker reportedly gained access to sensitive personal data, including names and other personally identifiable information (PII). However, Transak, which operates a non-custodial on-ramp, “can confirm” that no assets or “financially sensitive” data like social security numbers or credit card details was compromised.
Transak, which claims to have over 5 million users, told The Block that 92,554 users were affected. "We are reaching out to all of these users to provide clarity," CEO Sami Start said in an email. The is also working with law enforcement. "We have informed relevant data protection authorities, including the Information Commissioner’s Office (ICO) in the UK and other regulators across the EU and US, with analysis for other countries in progress."
The notorious Stormous ransomware gang has claimed responsibility for the hack, posting some of the stolen records on its site. The ring also recently disclosed it was behind the breach of Fractal ID—a decentralized identity system that provides identity verification and provisioning for Web3 projects—in July. Fractal co-founder Julian Leitloff denies Stormous was behind the hack.
Stormous claims to have stolen 300 gigabytes of data from Transak, including sensitive documents such as IDs, addresses, financial statements and selfies used during the know-your-customer onboarding process.
“Currently, there is no indication of data misuse. However, we advise affected users to remain vigilant and monitor for suspicious activity. We will reach out to affected users with advice and resources to protect themselves from potential misuse of information, including identity monitoring services,” Transak said.
Last week, Stormous claimed responsibility for another seeming exploit of Fractal ID, claiming to have obtained 12 gigabytes of the organization's data, including personal photos, bank statements, addresses and ETH/BTC addresses.
In response to onchain sleuth ZachXBT, the first to notice the association between the Fractal and Transak exploits, Leitloff said, “we've been contacted last week by some party recycling the material from August as evidence of a breach,” suggesting the stolen data is not new.
“We've nonetheless scoured our systems for evidence of something amiss and haven't seen anything off,” Leitloff said.
Both firms have hired external parties to look into the data breaches.
Editor's note (Oct. 21, 2024): Updates headline after Transak responded to a query from The Block and with a comment from Leitloff denying Stormous' involvement in the attack.
Comments (0)