Gemini allegedly hacked, 5.7 million emails leaked

[Rikafip]

As the title said, (allegedly) yet another exchange got hacked, this time "only" emails and partial phone numbers got leaked. All those having accounts there, get ready for phishing emails.

Cryptocurrency exchange Gemini appears to have suffered a data breach on or before Dec. 13. According to documents obtained by Cointelegraph, hackers gained access to 5,701,649 lines of information pertaining to customers’ account numbers, email addresses and partial phone numbers. In the case of the latter, hackers apparently did not gain access to the full phone numbers, as certain numeric digits were obfuscated.

The leaked database did not include sensitive personal information such as names, addresses and other Know Your Customer information. In addition, some emails were repeated in the document; thus, the number of customers affected is likely lower than the total rows of information.

[Oshosondy]

Not to the point that identity documents are leaked, but which is very possible and would be a threat because people whose identity information are stolen could be worried about physical attacks.

If only email is leaked, avoiding phishing attack is enough.

I am always wondering what kind of encryption exchanges are using to protect their customers information that still hackers were able to get to users data.

[dkbit98]

As the title said, (allegedly) yet another exchange got hacked, this time "only" emails and partial phone numbers got leaked. All those having accounts there, get ready for phishing emails.

Some people would think that someone is sponsoring and paying this hackers to specifically target crypto exchanges.
I think that Gemini exchange is mostly oriented towards US and North America customers and they won't be happy about this leak, maybe we could expect new wave of lawsuits if they get tricked with some phishing scam, or if they start receiving calls and sms messages.

[hugeblack]

Why is it that when the email is stored, several characters are encrypted exactly as they did with the phone numbers? If this matter succeeded with the phone numbers, then it will work with the emails.

And are there any guarantees that the rest of the data is safe or will be destroyed, since they do not need to keep the identity verification data, but rather just compare it, as such data cannot be modified.

Personally, I see that the platform shared the data with a third party and relies on the topic of hacking to justify when that data found from a third party, as it would be easy to say that it was purchased from the black market.

[The Cryptovator]

God saved that funds were not hacked and that users were not affected financially in any way. However, receiving a Phishing mail campaign will be inconvenient for us. Few people would fall for the scammers' trap. I frequently receive this type of email but simply mark it as spam. However, funds were not stolen; if an accident occurred on the market again, we would have to suffer again. There is already a lot of drama in the crypto markets.

[JeromeTash]

Not to the point that identity documents are leaked, but which is very possible and would be a threat because people whose identity information are stolen could be worried about physical attacks.

We can really never tell how much data was leaked. Only the Gemini folks know

I am always wondering what kind of encryption exchanges are using to protect their customers information that still hackers were able to get to users data.

Like one of the sayings goes, "no system is 100% secure from attacks"

Personally, I see that the platform shared the data with a third party and relies on the topic of hacking to justify when that data found from a third party, as it would be easy to say that it was purchased from the black market.

Similar to the excuse Binance used when their customer data leaked

[The Sceptical Chymist]

Not to the point that identity documents are leaked, but which is very possible and would be a threat because people whose identity information are stolen could be worried about physical attacks.

That's certainly possible, though I've never read or heard about owners of cryptocurrency having their houses broken into because of it.  It's a big risk for a number of reasons if you're a thief, much bigger than trying to just break into a house to steal cash and physical valuables. 

At least on the bright side no coins were hacked (though I'd hate to have my personal data stolen, too).  Gemini obviously needs to beef up its customers' data security, but I'm guessing the hackers tried to get access to crypto as well and weren't able to because of Gemini's safekeeping methods.  Yay?

I'm sure this isn't the last time we'll be reading about one of these data hacks.  Even enormous corporations like Sony and Target have been successfully hacked.

[noorman0]

We can really never tell how much data was leaked. Only the Gemini folks know

Exactly, only to reduce user panic a few sentences in the report can be omitted.

Just an assumption. I don't know how many types of databases Gemini has, just looking at the associated hacked data types I think it's a special database for users logging in to the Gemini interface. However I didn't find the phone number request as an optional login method. It is quite possible to say that the data leak is from a database that also contains information on all user data.

[coin-investor]

As the title said, (allegedly) yet another exchange got hacked, this time "only" emails and partial phone numbers got leaked. All those having accounts there, get ready for phishing emails.

Cryptocurrency exchange Gemini appears to have suffered a data breach on or before Dec. 13. According to documents obtained by Cointelegraph, hackers gained access to 5,701,649 lines of information pertaining to customers’ account numbers, email addresses and partial phone numbers. In the case of the latter, hackers apparently did not gain access to the full phone numbers, as certain numeric digits were obfuscated.

The leaked database did not include sensitive personal information such as names, addresses and other Know Your Customer information. In addition, some emails were repeated in the document; thus, the number of customers affected is likely lower than the total rows of information.

I don't want to call it good but it's still good that important information is not included those Gemini account holders should be ready to receive scam and spam emails this is why with so much hacking going on I prefer to hide my main email and only use emails specifically for exchanges, trading and other subscriptions and am I very quick to hit the spam button even if the title of the email is very tempting to open.

[rat03gopoh]

I don't want to call it good but it's still good that important information is not included those Gemini account holders should be ready to receive scam and spam emails this is why with so much hacking going on I prefer to hide my main email and only use emails specifically for exchanges, trading and other subscriptions and am I very quick to hit the spam button even if the title of the email is very tempting to open.

Attempts at scam aren't only about offers that don't make sense, what I think is more dangerous are attempts at impersonation, which in this case refers to exchange support. This leaked data was clearly used to sign up for Gemini, where scammers can pretend to know a user's email or phone number by simply asking for their user ID.

[m2017]

It seems that need to stay as far away from centralized exchanges as possible. They will steal not only your money, but also personal data. What will be stolen next?

If exchanges can't ensure the safety of data (not to mention deposits) of their users, then what right do they have to demand KYCs and other nonsense?

Of course, there is no question of compensation for users. But someone will definitely succumb to phishing tricks and suffer. Now it will be the problem of the users themselves, and not the exchange, although it is known who is to blame.

[TimeTeller]

It seems that need to stay as far away from centralized exchanges as possible. They will steal not only your money, but also personal data. What will be stolen next?

If exchanges can't ensure the safety of data (not to mention deposits) of their users, then what right do they have to demand KYCs and other nonsense?

Of course, there is no question of compensation for users. But someone will definitely succumb to phishing tricks and suffer. Now it will be the problem of the users themselves, and not the exchange, although it is known who is to blame.

I hope only limited info was leaked as I do have account in Gemini.
If partial part of phone numbers are acquired, then these hackers can't get in as there's 2FA auth that they will send you via your number.
So more than likely, you may very well receive phishing emails if they got a hold of this email list.
They also asked for KYC details such as valid ID so hopefully the site has their security protocols in place.
Using this platform because of BAT that you earned from Brave Browser.
So I guess a lot are indeed using this exchange not only because of this BAT earnings.

[DaveF]

Minor point, but it was not Gemini itself but a 3rd party vendor.

Makes you wonder if this is from Gemini Earn / Genesis Global Capital and with everything going on with the lawsuit and digging through data / records something was either found then or during the process something was left unsecured.

Sadly, this happens too often and it either takes months and months to find out who had the actual breach. In the end it does not matter since the data was entrusted to Gemini.
BUT, the other side is that if the 3rd party had Gemini's user data, who else did they deal with and was that data compromised.

-Dave

[NotATether]

Minor point, but it was not Gemini itself but a 3rd party vendor.

It's a big deal.

I had not signed up with them so I wasn't affected, but people should use email-hiding services such as SimpleLogin to hide your real email address behind a burner, to sign up for financial websites. It helps prevent your real email being leaked like that.

The only issue is that some services ban these kind of addresses (why??)

[DaveF]

Minor point, but it was not Gemini itself but a 3rd party vendor.

It's a big deal.

I had not signed up with them so I wasn't affected, but people should use email-hiding services such as SimpleLogin to hide your real email address behind a burner, to sign up for financial websites. It helps prevent your real email being leaked like that.

The only issue is that some services ban these kind of addresses (why??)

I'm going with their lawyers / liability people told them to.
With things that involve money I can see someone wanting to at least appear to be keeping tabs on people who sign up.
It's all BS, but it makes it look good. I can get a domain for under $5.00 / year and have email forwarding to someplace else in 10 minutes, so it's all really moot.

EDIT:
Wonder if this is related or not: https://www.cointracker.io/blog/sendgrid-data-breach

Sendgrid has been and looks like it will continue to be a shitshow being hacked / compromised multiple times.

-Dave

[Flexystar]

That’s bad news but good example one more time. Keep your data safe people, keep it away from the exchangers and almost any projects that are asking for the KYC done so that we can have XYZ limits, this action that action etc. These people are making the rules in such way that we have to do the KYC all the time. It’s far better if we just keep our coins in the wallet and only use exchangers whenever really necessary to do so. In fact it’s not even needed if we do peer to peer approach all the time.