Hacker Stole 1,000 Traders’ Personal Data From CryptoTrader.Tax

[spike420211]

A hacker has stolen data on more than 1,000 users from CryptoTrader.Tax, an online service used to calculate and file taxes on cryptocurrency trades.

The hacker broke into a CryptoTrader.Tax marketing and customer service employee’s account on a support center platform, according to a source who came across the hacker on a dark web forum. With this access, the hacker could see customers’ names, email addresses, payment processor profiles and messages sometimes containing cryptocurrency incomes.

The hacker then screengrabbed samples of this sensitive information, posted them on the forum to entice potential buyers of the data trove and sent additional pictures to the source, who shared this evidence with CoinDesk.

David Kemmerer, a co-founder and the chief executive of CryptoTrader.Tax, confirmed to CoinDesk that a hacker gained unauthorized access on April 7 to the marketing and customer service employee’s account. The hacker was able to see support center details in the materials and downloaded a file containing 13,000 rows of information, including 1,082 unique email addresses, Kemmerer said.

CryptoTrader.Tax’s security team investigated the breach and found tax filing account passwords and CryptoTrader.Tax’s website were not compromised, Kemmerer said. The team then alerted parties affected by the breach and took steps to improve security measures and monitoring systems across internal and third-party applications, Kemmerer said.

https://www.coindesk.com/hacker-cryptotrader-tax

[1715291626]

1715291626

[1715291626]

1715291626

[Sanitough]

CryptoTrader.Tax’s security team investigated the breach and found tax filing account passwords and CryptoTrader.Tax’s website were not compromised,
Kemmerer said.

How do they conclude that when the hacker successfully stole data from the website?

The team then alerted parties affected by the breach and took steps to improve security measures and monitoring systems across internal and third-party applications, Kemmerer said.

https://www.coindesk.com/hacker-cryptotrader-tax

They should improve the security measures, and investigate how this happened. Also, they have to be investigated as well if there is an inside job within the company as their information is vital, and it could put the lives of their clients at risk.

[thesmallgod]

I'm just wondering how they know the other information such as the passwords are not in custody of the hacker. It is not unbelievable to see hacker stealing information but it become worrisome when they have direct access to your account. The hacker might not compromise the password by changing it but might know the passwords. This is part of the reason why people have not supporting centralized platforms

[DdmrDdmr]

<…> How do they conclude that when the hacker successfully stole data from the website?

The article states it in the first few paragraphs:

<…> The hacker then screengrabbed samples of this sensitive information, posted them on the forum to entice potential buyers of the data trove and sent additional pictures to the source, who shared this evidence with CoinDesk. <…>

I figure that CryptoTrader.Tax had no hard time in verifying that the breach was real.

This case rings a bell (read notorious Twitter accounts used to scam recently), as the hack was allegedly performed by means of using a:

marketing and customer service employee’s account

That enabled the hacker to obtain inside information. Now how the company allowed for an external access to the system, even if the credentials were known, beats me. Nowadays, corporations can delimit external access through a range of mechanisms, which include verifying that the external device is authorised (i.e. account authorised vpn credentials + laptop authorization verification). Of course the hacker could have made the access through one of the employees devices, which would place a spotlight on who gave way for the breach to take place from his device.

[pakhitheboss]

Tax marketing and customer service employee’s account on a support center platform

Sounds more like an inside job as without the proper authorization no one can access the account of an employee or the employee was a dumb.

Other reason can be that CryptoTrader do not have the highest level of security features or firewall activated in their system.

Anyways it is big dent to their reputation and trust.

[stompix]

That enabled the hacker to obtain inside information. Now how the company allowed for an external access to the system, even if the credentials were known, beats me. Nowadays, corporations can delimit external access through a range of mechanisms, which include verifying that the external device is authorised (i.e. account authorised vpn credentials + laptop authorization verification). Of course the hacker could have made the access through one of the employees devices, which would place a spotlight on who gave way for the breach to take place from his device.

I don't think that their system or access to it was compromised when I read the "marketing" thing I'm assuming that accounts of one of the employees have been compromised and most of the times these guys pile data after data and sheets over sheets of info around with no real protection,  email is often used to share lists and even google drive. Somebody working on the newsletters, nobody doing a report on their target customers and there you have it.

The fact that no real sensitive information was confirmed leak makes me believe more in this hypothesis.

One thing that also struck me:

The co-founder of the platform, David Kemmerer, also confirmed the breach and detailed that the data were compromised on April 7.

I suppose they weren't planning on telling anyone about it.

This is part of the reason why people have not supporting centralized platforms

So, how do you imagine a decentralized platform for doing your taxes? 

[Ucy]

Maybe if they begin to get the companies/organizations compensate the victims for such hacks, others will be too scared to have such sensitive information without proper and strongest possible security measures, and the hacks will likely stop becoming frequent.
 Losing your private data to hackers is a very dangerous thing that can happen and people hardly take this seriously.

[Stedsm]

More people now will be exposed that they own cryptocurrency and might be personally targeted.

Isn't this something that was expected to happen when crypto was being expected to go mainstream? Come on, BTC is on TV ads, banners, almost everywhere and this is the security that these tax guys give? Just because of this security breach, 100s of customers have lost their privacy and will definitely be touched by government officials once their data gets leaked. No doubt they were already going the legal way by paying taxes, but how much tax, is what this company was going to deliver them with their work. I'm afraid we're all prone to hacks almost everywhere where no tight security is available (eg.; Casinos, gambling websites, lending websites, DeFi websites, etc.)

[snipie]

Tax marketing and customer service employee’s account on a support center platform

Sounds more like an inside job as without the proper authorization no one can access the account of an employee or the employee was a dumb.

Other reason can be that CryptoTrader do not have the highest level of security features or firewall activated in their system.

Anyways it is big dent to their reputation and trust.

Normally after the Twitter hack, everyone should check the system and improve its security... I don't think it is an inside job, but incompetence these days may cost companies much

[pixie85]

Tax marketing and customer service employee’s account on a support center platform

Sounds more like an inside job as without the proper authorization no one can access the account of an employee or the employee was a dumb.

Other reason can be that CryptoTrader do not have the highest level of security features or firewall activated in their system.

Anyways it is big dent to their reputation and trust.

Probably dumb. Go to any IT office and you'll see passwords and logins all over the place. Written on pieces of paper, stickers attatched to monitors. Often workstations have some easy passwords with numbers and the logins are first names of employees.

Security in 90% of corporations sucks. They have key cards for every door and security in the building but computers have minimal protection.

[figmentofmyass]

my first thought was "oh shit, what if they got tax IDs, physical addresses, and other filer info"? fortunately the breach doesn't actually look that bad.

customers’ names, email addresses, payment processor profiles and messages sometimes containing cryptocurrency incomes.

To pay for subscriptions, premium users also enter billing information into Stripe, a payment processor. Stripe is connected to CryptoTrader.Tax’s support center platform and shows customers’ email addresses and general locations, but it does not expose physical addresses or credit, debit and banking information, according to the Stripe website.

The hacker also accessed marketing communications, referral numbers, commission earnings and revenues from affiliates who promote the CryptoTrader.Tax service on websites and social media, according to the materials reviewed by CoinDesk and Kemmerer.

this is yet another reminder to use a different email address for every service though---if it gets leaked, no big deal.

One thing that also struck me:

The co-founder of the platform, David Kemmerer, also confirmed the breach and detailed that the data were compromised on April 7.

I suppose they weren't planning on telling anyone about it.

i noticed that and thought "thanks for waiting 4.5 months until the dump was found on the dark web to mention it"! but maybe they at least informed affected customers at the time. it's not 100% clear when they disclosed it:

CryptoTrader.Tax’s security team investigated the breach and found tax filing account passwords and CryptoTrader.Tax’s website were not compromised, Kemmerer said. The team then alerted parties affected by the breach and took steps to improve security measures and monitoring systems across internal and third-party applications, Kemmerer said.

[wxa7115]

I'm just wondering how they know the other information such as the passwords are not in custody of the hacker. It is not unbelievable to see hacker stealing information but it become worrisome when they have direct access to your account. The hacker might not compromise the password by changing it but might know the passwords. This is part of the reason why people have not supporting centralized platforms

The short answer is that they simply do not know it and they are just making that up, if a hacker gets access to your systems then it is not out of the realm of possibility that he was able to get access to certain information and you were not aware of it, they are saying that just to try to calm people down and try to shift the issue.

Unfortunately as governments try to make this market more centralized we are bound to see more hacks on the future and as the value of the cryptocurrencies increases then the amount stolen will keep increasing and unfortunately this will have the effect of slowing down adoption as people read about this news and think the market is insecure, when in fact centralized platforms are the ones that are insecure.

[Twentyonepaylots]

Tax marketing and customer service employee’s account on a support center platform

Sounds more like an inside job as without the proper authorization no one can access the account of an employee or the employee was a dumb.

Other reason can be that CryptoTrader do not have the highest level of security features or firewall activated in their system.

Anyways it is big dent to their reputation and trust.

Normally after the Twitter hack, everyone should check the system and improve its security... I don't think it is an inside job, but incompetence these days may cost companies much

It makes sense for a company like cryptotrader to check their security after a massive data breaching in twitter had occur however as for what I understand through reading the article there were no trace or evidence that they are breached but someone just saw it on the dark web. Does this mean that the hacker went easily to pass their security level? perhaps an inside job?

[snipie]

It makes sense for a company like cryptotrader to check their security after a massive data breaching in twitter had occur however as for what I understand through reading the article there were no trace or evidence that they are breached but someone just saw it on the dark web. Does this mean that the hacker went easily to pass their security level? perhaps an inside job?

If the hacker managed to have the credentials of an unaware employee then he can do whatever he wants without being detected likely. An inside job is possible too, although I don't tend to believe it, since I always ask what's the point of doing it and how much he will gain? Risk > benefits imo.

[btc_angela]

It makes sense for a company like cryptotrader to check their security after a massive data breaching in twitter had occur however as for what I understand through reading the article there were no trace or evidence that they are breached but someone just saw it on the dark web. Does this mean that the hacker went easily to pass their security level? perhaps an inside job?

If the hacker managed to have the credentials of an unaware employee then he can do whatever he wants without being detected likely. An inside job is possible too, although I don't tend to believe it, since I always ask what's the point of doing it and how much he will gain? Risk > benefits imo.

I also doubt that this is an inside job, usually hackers are targeting the weakest link in the chain, in this case, probably one employee who is very careless here and just clicking an external email and then boom, hackers have now access to their system using that employee's credential and then smooth sailing from then end. They could plant a backdoor as well and silently get all the necessary info and then sell it to the dark web.

[seoincorporation]

<…> How do they conclude that when the hacker successfully stole data from the website?

The article states it in the first few paragraphs:

<…> The hacker then screengrabbed samples of this sensitive information, posted them on the forum to entice potential buyers of the data trove and sent additional pictures to the source, who shared this evidence with CoinDesk. <…>

I figure that CryptoTrader.Tax had no hard time in verifying that the breach was real.

This case rings a bell (read notorious Twitter accounts used to scam recently), as the hack was allegedly performed by means of using a:

marketing and customer service employee’s account

That enabled the hacker to obtain inside information. Now how the company allowed for an external access to the system, even if the credentials were known, beats me. Nowadays, corporations can delimit external access through a range of mechanisms, which include verifying that the external device is authorised (i.e. account authorised vpn credentials + laptop authorization verification). Of course the hacker could have made the access through one of the employees devices, which would place a spotlight on who gave way for the breach to take place from his device.

First they see the hacker offering the information in the forum, after that i guess they review the security log in the server, and for sure there they see the DataBase dump... That's easy to do on linux, but the hard part of the problem is to identify the exploited vulnerability. The service can't come up again if they don't know how the attacker access...

[rexxarofmoknathal]

Tax marketing and customer service employee’s account on a support center platform

Sounds more like an inside job as without the proper authorization no one can access the account of an employee or the employee was a dumb.

I almost smell the same thing here, this might just be an non-authorization from the inside, as how else will the hacker get access to the passwords and stuff?  I even fear to think that the CryptoTrader didn't consider online attacks and got little security in place like firewall etc. This is why this is likely an attack with inside help/insight. The obvious conclusion is clear: CryptoTrader has now got some recovery to do both on clients part as well as  their own reputation

[Kelvinid]

The hackers never do the hard work and have those personal data easily because he knows it already as probably he is on the part of the company. A big question of why hackers know the password? it gives an idea that it was an inside job.

CryptoTrader.Tax’s security team investigated the breach and found tax filing account passwords and CryptoTrader.Tax’s website were not compromised, Kemmerer said. The team then alerted parties affected by the breach and took steps to improve security measures and monitoring systems across internal and third-party applications, Kemmerer said.

That would something give an idea that hackers is also familiar with the company and might one of their person.

Anyway, we only have that presumption at his time, it might be wrong or right but that is also happening in some cases.
We have to wait for another update and to know more who are/is involved in this hacking incident.

[AmoreJaz]

Tax marketing and customer service employee’s account on a support center platform

Sounds more like an inside job as without the proper authorization no one can access the account of an employee or the employee was a dumb.

Other reason can be that CryptoTrader do not have the highest level of security features or firewall activated in their system.

Anyways it is big dent to their reputation and trust.

very well it could be an inside job. remember the percentage of internal breaches is higher than other types like external, partners, multiple parties. so who knows that this security breach is because one of them decided to make his own decision? really is hard to trust your vital info these days. you'll never where it will end up to. so stay safe everybody!

[NotATether]

this is yet another reminder to use a different email address for every service though---if it gets leaked, no big deal.

And in fact this is possible, just create as many protonmail emails as you want. Though if they only stole email addresses and names then the worst they can do with it is get revenue by selling them to marketers that will send you spam offers. That would be pretty juvenile of them.

[sheenshane]

The hackers never do the hard work and have those personal data easily because he knows it already as probably he is on the part of the company. A big question of why hackers know the password? it gives an idea that it was an inside job.

This was my thought, probably the hacking incident was an inside job. How the hacker(s) know the credential info of that trading account website that easily get rid. I dont know whom or where to trust right now, it seems nowadays hackers and gettings smarter. They will do everything just to earn bucks or thousands of bucks in the evil idea.

Good thing funds are safe but the personal info might be sold in the dark web and probably for the hacking purpose. The 1,082 unique email addresses that has been compromised will might in risk, it is probably good if their users will quickly change their addresses.

[Sadlife]

That's why it's not good idea to store private keys especially with a centralized authority holding the data. If they're using Cryptocurrency, why not use Blockchain instead? Rather than, a highly vulnerable database that someone could easily gain access to.
I believe the ETH blockchain enables you to develop smart contracts tailored for your business requirements.

[dansus021]

This was something im worry about. they took email address with and some portofolio about it. what happen if this site has completed KYC and the hacker sell info about it. 


and i'm just curious why hacker keep targeting cryptocurrency site? from the twitter big exchange and now this 

[Leviathan.007]

That's exactly the reason why I hate doing KYC on any exchange. A few years ago even on binance some personal information was leaked. Using these important information gathered from a thousand of user, anyone can abuse the information and take advantage over it or even make some trouble for people. While the hackers can sell these leaked information on environments like darkweb and deepweb for monero or bitcoin. That's why I always said asking for KYC in crypto exchanges shouldn't be happen and that's against the decentralizing.

[Shasha80]

More and more platforms related to cryptocurrency are targeted by hackers, perhaps because cryptocurrency is getting more popular.
But regarding the CryptoTrader.Tax case, if we reads the chronology of events, the first possibility is that it is a weak security system,
make it easy for hackers to steal consumer personal data. Then the second possibility is the possibility of inside jobs, because there
are several strange events related to this CryptoTrader.Tax case. Whichever is the correct possibility does not matter, the most important
is the CryptoTrader.Tax improves security systems, so that incidents like this do not happen again.

[emmaglory5]

More people now will be exposed that they own cryptocurrency and might be personally targeted.

please share with us some security tips

[Bes19]

This is scary coz they might sell these identities and can be use on frauds.
Though this is not the first that this thing has ever happen in other exchanger, but they should improve their security.
Sometimes this could be an inside job but who knows eeehh

[taufik123]

This was my thought, probably the hacking incident was an inside job. How the hacker(s) know the credential info of that trading account website that easily get rid. I dont know whom or where to trust right now, it seems nowadays hackers and gettings smarter. They will do everything just to earn bucks or thousands of bucks in the evil idea.

Suspecting insider involvement in this hacking case may be an assumption that cannot be justified. There are many ways you can do to find out the credential info for a website. Maybe one of the employees was caught in a trap and then accused or clicked on the trap provided by the hacker to get important information about the CryptoTrader.Tax website. Many methods can be done.

currently there are many cases of hacks that are trending with a variety of new methods. hackers are growing, the level of security must also be developed to ward off and fight hackers.

[tbterryboy]

Lots of things are happening and these days people are not safe any longer. All these websites should always try to be very careful with their sites' security to protect their customers so that their information that they have given to the website will not fall into the wrong hands. It’s very bad that some of them are usually less concerned about issues like this until it happens to them and then they will start running up and down.

Sometimes you give your information to a website and the next thing their site gets scammed and you start getting some spam mails from those hackers to get access to your accounts. For example, I do get emails for confirming my details of my blockchain wallet but all of them from blockchain look like domains. If I do not check from where I do get mails then probably I might have lost my blockchain wallet by this time.

[molsewid]

That's the reason why I am afraid of giving my identity or other contact details to exchange websites.  Most of them required us to KYC, but their website is not yet fully secured.  I feel sorry for the victim to their 13,000 rows of information. Hackers will probably sell that or use that in illegal ways.

[Twentyonepaylots]

This was my thought, probably the hacking incident was an inside job. How the hacker(s) know the credential info of that trading account website that easily get rid. I dont know whom or where to trust right now, it seems nowadays hackers and gettings smarter. They will do everything just to earn bucks or thousands of bucks in the evil idea.

Suspecting insider involvement in this hacking case may be an assumption that cannot be justified. There are many ways you can do to find out the credential info for a website. Maybe one of the employees was caught in a trap and then accused or clicked on the trap provided by the hacker to get important information about the CryptoTrader.Tax website. Many methods can be done.

Inside job won't be out for some of us to buy this assumption since the hole was found in that area. And for an employee of a crypto related company should be wary of the whole scheme of traps in the internet, I'm skeptical about the silly situation where an employee accidentally clicked a random link. bruh.

currently there are many cases of hacks that are trending with a variety of new methods. hackers are growing, the level of security must also be developed to ward off and fight hackers.

I agree, along with the improvements of security systems the breaching methods are developing too. This is why I also doubt of crypto adoption as early as a year or two because of this stuff.

[peter0425]

This is a threat to those Crypto users that has been exposed since their Data is now compromised from this hackers.
they might be a Victim of Force to take their crypto away from them,The CryptoTraders must have a insurance towards those who had been compromised that if there something happen to their crypto asset at least they will have assurance of claiming some lost.
this is not the Peoples mistake instead it is the company that is lazy to make high security in their platform.

[taufik123]

-snip- I'm skeptical about the silly situation where an employee accidentally clicked a random link. bruh.

That possibility could be if the employee did something careless that got him into a trap.
Anyone who enters the world of the internet is at risk, even if he is an expert in the internet field.

-snip-This is why I also doubt of crypto adoption as early as a year or two because of this stuff.

The current adoption of crypto is still the pros and cons, because of the security and risks behind cryptocurrency.
Crypto still needs development, maybe in the future crypto regulation and security will increase more than it is today.

[pawanjain]

If the hacker was able to get the passwords from the stolen data then it's clear that their security was weak.
Even if someone access the database then the password should not be so easily retrieved.
Developers generally hash the passwords so that it cannot be stolen easily.
This shows how weak security the exchange had. I guess this is why the hacker chose this site for their attack.

[Lucius]

More people now will be exposed that they own cryptocurrency and might be personally targeted.

What then to say about Ledger and their data leak which compromised about 1 million user emails, and in addition for 9500 people all personal data including full name, address and phone number were stolen. When I see these only 1000 potentially vulnerable clients it seems like a drop in the ocean, of course I'm not happy that it happened - but there are a lot of worse cases that have compromised the security of crypto users.

In addition to hacking databases, it should be taken into account that our data is also subject to trade between companies - they of course always deny it, but if they are discovered they claim to have been hacked...

[Anonylz]

People's personal information keeps getting compromise every time when this platform owners fails to have a strong security, why does it feel like a deliberate act, why is it so easy this days to get hacked even though security should be a top priority.

[Lucius]

Anonylz, It is a well-known fact that humans are the weakest link in the security chain no matter how it is conceived and set up. If you have, say, a hundred employees, 99 of whom are honest and conscientious and know what they are doing - and you have one with bad intentions who has access to all databases, then all security procedures make no sense.

Take, for example, what Snowden did to one of the world's most powerful security agencies when he took a pile of confidential documents and handed them over to the media - who could have ever predicted and prevented that?

[DraGonD]

Thats why is better to not share with anyone any kind of personal data in crypto

[roadrunnerjaiv2025]

The damage doesn't seem to be that serious, but I guess we can only see that when the hacker starts using the data they stole to their advantage. I bet it wasn't the core of the company's security system that was breached but just one employee's account. I wonder if "took steps to improve security measures and monitoring systems across internal and third-party applications" also includes informing the owners of the compromized accounts and compensating those that took a huge toll from the breach.

[wxa7115]

this is yet another reminder to use a different email address for every service though---if it gets leaked, no big deal.

And in fact this is possible, just create as many protonmail emails as you want. Though if they only stole email addresses and names then the worst they can do with it is get revenue by selling them to marketers that will send you spam offers. That would be pretty juvenile of them.

While this is correct for the most part people are very lazy when it comes to their security, they prefer to use one email for every single one of their accounts and even sometimes they use the same password, I have no doubt that the hackers know this and they are trying to get access to all the accounts they got in this hack to try to steal money or even more information out of them.

And this is something that I have always found confusing, it is true that it is a little bit more of work to create more email accounts and different passwords for each one of your accounts but it is completely necessary, because in this market once you lose your coins you lose them for good with no possibility to get them back.

[yhiaali3]

This and other similar hacking incidents underscore the need to accelerate the transition to Web 3.0 or the decentralized Internet, where user data is stored on a data blockchain and it is difficult or impossible to hack this data.
Of course, this is one of the biggest disadvantages of centralization when you give your data to any central site, whether an exchange, platform, customer service, or anything, your data is in danger because the site can be hacked, as happened here, or it can be stolen by the employees on the site itself.

[AicecreaME]

This is a very dangerous scenario.

Lots of clients information were stored in their database that’s why they must protect and secure it as strictly as they can. The information and profiling of a client should not be leaked as it holds a vital role in accessing their accounts and their transactions. With this happened, the hacker can anytime use their information for wrongdoings and can possibly monitor them or steal from them.

The cryptotrader.tax should’ve prevented this from happening if only they put high and strict security measures to prevent hackers from penetrating their website database. They must really took steps to improve their security to earn their current and future customers trust again. They must look into all angles as it is possible that an inside job happened.

May this become a lesson for each companies to always maintain the strict security measures of their websites and database. A little negligence from their responsibilities can surely cost them a lot if something like this happens.

[wxa7115]

The cryptotrader.tax should’ve prevented this from happening if only they put high and strict security measures to prevent hackers from penetrating their website database. They must really took steps to improve their security to earn their current and future customers trust again. They must look into all angles as it is possible that an inside job happened.

This idea that everything can be prevented is a mistake, hackers are very smart and if needed they can wait for years in order to obtain the necessary information to make their hacks a reality, it is impossible to stop something that you do not see and hackers are experts at hiding themselves in plain sight, what this demonstrates is that the idea of giving your information to a centralized institution and relying on them to protect it is flawed.

We need to move to true decentralization in which exchanges do not ask for that kind of information that way hackers cannot steal it because they simply do not have it, but obviously many entities are against this because this limits their power.

[gabbie2010]

Thats why is better to not share with anyone any kind of personal data in crypto

Personally I think an insider must have been involved in the security breach involving cryptoTrader.Tax, he must have been responsible for sharing some important and vital documents for the hacker to gain easy access to the site so as to perpetuate the crime,  hackers are getting sophisticated in their performing the dastardly act of hacking thus exchanges and other crypto sites must ensure that their security firewall must be well fortified.
A through investigation must be made to ascertain those involved and an arrest must be made, while those culpable for the hack must be prosecuted this will serve as deterrent to other hackers.

[shoreno]

This and other similar hacking incidents underscore the need to accelerate the transition to Web 3.0 or the decentralized Internet, where user data is stored on a data blockchain and it is difficult or impossible to hack this data.
Of course, this is one of the biggest disadvantages of centralization when you give your data to any central site, whether an exchange, platform, customer service, or anything, your data is in danger because the site can be hacked, as happened here, or it can be stolen by the employees on the site itself.

that web 3.0 you said sounds cool but web decentralization can be achieve by using private internet like vpn's .

no one can trace you that way but there still a problem , what if the site is still centralized ? hackings and stealings can still occur .  i heard that many businesses are now planning to support blockchain on thier system. this step can be the only solution to solve major problems that we faced day by day .

[AniviaBtc]

I'm just wondering how they know the other information such as the passwords are not in custody of the hacker. It is not unbelievable to see hacker stealing information but it become worrisome when they have direct access to your account. The hacker might not compromise the password by changing it but might know the passwords. This is part of the reason why people have not supporting centralized platforms

But on that case that they have personal data of different users, they can steal money whenever they want. Personal information and details are very very important and shouldn't be ignored because the fate of your account is dependent on that. If they know the password of your account then it is more likely that you are the next target and you will suffer the most. Centralized platforms are somehow good but still it do have a downside. All of the things in the world have advantages and disadvantages that's why you need to deal with both. Hackers are unstoppable and unpredictable when they will act or move, so always be aware and mindful.

[verita1]

Lately we are realizing that there is vulnerability in the platforms due to the frequency of how these hackers violate the security of the systems. We need more robust websites especially in the crypto field. What remains for us is to be more attentive to the websites we visit.

[yhiaali3]

that web 3.0 you said sounds cool but web decentralization can be achieve by using private internet like vpn's .

no one can trace you that way but there still a problem , what if the site is still centralized ? hackings and stealings can still occur .  i heard that many businesses are now planning to support blockchain on thier system. this step can be the only solution to solve major problems that we faced day by day .

This is what I meant by web 3.0. I did not mean to preserve privacy by using a VPN, web 3.0 means that there should be a blockchain for the Internet so that our data is stored on the blockchain and not on the site. In this way, all data is safe and difficult to hack or steal, and also cannot be sold (By the site itself) to someone else as it happens now.

[agg2702]

I'm just wondering how they know the other information such as the passwords are not in custody of the hacker. It is not unbelievable to see hacker stealing information but it become worrisome when they have direct access to your account. The hacker might not compromise the password by changing it but might know the passwords. This is part of the reason why people have not supporting centralized platforms

Judging from the article it's only a rough conclusion because the hacker managed to get into a database where the hacker was able to view support center details in the material and download a file containing 13,000 lines of information, including 1,082 unique email addresses, Kemmerer said.
this is of course very reasonable because speculation like this must happen because basically the hacker is not likely to hack something just for fun.
besides that there must be some traces left because not all hackers play cleanly and only the pros are like that

[DdmrDdmr]

This data includes data that allows fraudsters to steal the funds of these traders?

The case is nearly a year old, but since this thread has resurfaced, it’s worth mentioning that the breached data details don’t seem to be crystal clear, although we know that over 1k emails and 13k rows of information were obtained during the hack. I’ve been looking around for further detail of the involved data fields, but came out empty handed.

It’s fair to assume that perhaps at least some specific crypto names and amounts were involved. Their software (see https[colon]//cryptotrader[dot]tax/cryptocurrency-tax-reports) also details information to generate the IRS Form 8949, which includes name and SS number, so this detail of information could have been compromised, although the claims say they weren’t:

CryptoTrader.Tax users had to enter their billing information the payment processor Stripe to pay for their subscriptions. However, Stripe assured that, while its system is connected to the hacked CryptoTrader.Tax support center platform, the link does not reveal sensitive user info such as credit, debit, and banking information as well as the physical addresses of its clients. As such, only customer email addresses and the general location was exposed by the hack.

https://tokenpost.com/More-than-1000-users-affected-in-a-cryptocurrency-tax-reporting-service-hack-5712

With the above, and assuming the limited scope, fraudsters/hackers should not have been able to directly obtain access to the crypto of those involved in the hack (it would have to involve credentials to custodial wallets, which is unlikely to be stored in this type of application; private keys are out of the question here).

Nevertheless, they could have used social engineering to try to trick/scam/blackmail/phish a few of the 1K affected by the hack. It will also depend on the time it took between the events took place (April 2020) and when they were actually communicated to those involved (general public was made aware months later, but those affected were possibly told before).

[Fortify]

A hacker has stolen data on more than 1,000 users from CryptoTrader.Tax, an online service used to calculate and file taxes on cryptocurrency trades.

The hacker broke into a CryptoTrader.Tax marketing and customer service employee’s account on a support center platform, according to a source who came across the hacker on a dark web forum. With this access, the hacker could see customers’ names, email addresses, payment processor profiles and messages sometimes containing cryptocurrency incomes.

The hacker then screengrabbed samples of this sensitive information, posted them on the forum to entice potential buyers of the data trove and sent additional pictures to the source, who shared this evidence with CoinDesk.

David Kemmerer, a co-founder and the chief executive of CryptoTrader.Tax, confirmed to CoinDesk that a hacker gained unauthorized access on April 7 to the marketing and customer service employee’s account. The hacker was able to see support center details in the materials and downloaded a file containing 13,000 rows of information, including 1,082 unique email addresses, Kemmerer said.

CryptoTrader.Tax’s security team investigated the breach and found tax filing account passwords and CryptoTrader.Tax’s website were not compromised, Kemmerer said. The team then alerted parties affected by the breach and took steps to improve security measures and monitoring systems across internal and third-party applications, Kemmerer said.

https://www.coindesk.com/hacker-cryptotrader-tax

The funny thing is that I'm unsure what the hacker will actually gain from this attack, maybe they just happened to have a vulnerability within their systems and it is sheer coincidence that they are in the cryptocurrency space. It would seem that people using the services of a cryto service with "tax" in the name are the kind of people who want to stay on the right side of the law when it comes to accurate accounting trails. I guess it could be useful for later phishing attempts or more specific targeting of owners with big holdings, but by itself it does not seem like a major risk to the people who were compromised - anyone with an ounce of sense should have unique credentials across different sites so that avenue is useless.

[mksundip]

I read the case in my opinion strange. How will the tax office know if a hacker is in there? or maybe this is one of the tactics of tax people to collect taxes from crypto traders?
For me, whatever the reason, it is wrong and violating someone's personal information

[taufik0911]

at this time we have to be really careful to store our assets because wallets on exchanges or centralized wallets can be very vulnerable to hacking
the safest way to store your cryptocurrency assets is in your own personal wallet or in a ledger
I hope everyone can be careful because there are currently a lot of exchanger hacks and phishing