'BuyUCoin exchange' data breach

[Charles-Tim]

This is another users' data leak from an Indian exchange, BuyUCoin. The leak was first claimed not to happen by the exchange but turned to be true recently. Reported over 325,000 users' data were leaked, the leaked database contains sensitive information such as users’ names, phone numbers, email addresses, PAN numbers, as well as bank details such as account number, IFSC code and the type of account.

According to a report from Indian news outlet Inc42, a hacking group by the name of ShinyHunters leaked a database containing the names, phone numbers, email addresses, tax identification numbers and bank account details of more than 325,000 BuyUCoin users. However, a later report from Bleeping Computer shows the leaked data may only contain information from 161,487 BuyUCoin members.

“What if someone used my account in any illegal activity?” said Rajaharia — also a BuyUCoin user — in a follow-up tweet, calling the exchange's initial response “irresponsible.”

The data leaked contain information that can still lead to phishing attacks to BuyUCoin users, centralized exchanges are irresponsible if comes to privacy, privacy is zero (0), data breaches 99.99% chances of happening.


https://cointelegraph.com/news/breach-at-indian-exchange-buyucoin-allegedly-exposes-325k-users-personal-data
https://inc42.com/buzz/data-of-3-lakh-users-leaked-from-indian-crypto-exchange-buyucoin/
https://www.bleepingcomputer.com/news/security/data-breach-at-buyucoin-crypto-exchange-leaks-user-info-trades/
https://mobile.twitter.com/rajaharia/status/1352227184136491008

[1714207047]

1714207047

[1714207047]

1714207047

[sheenshane]

Commonly problem of a most centralized exchanger.

There's nothing to panic about if there's a BuyUcoin user here, you can simply change your password or if they are using emails they must also change this too.  Once it is breached, it easy for hackers to send emails or trying to log in and get the fund, but as an exchange said, users are protected with 2FA verification which is much better to protect their account if there is a transaction that will happen just like transferring of the fund.

Anyway, thanks for sharing here, probably users of this exchange will get alarmed too with this announcement.

[o_e_l_e_o]

There's nothing to panic about if there's a BuyUcoin user here, you can simply change your password or if they are using emails they must also change this too.

This couldn't be further from the truth. There is a huge amount to worry about.

Sure, you can change your email and passwords to prevent attacks from accessing your exchange account, but you still have the issue that your name, address, PAN (which is very similar to a social security number, and is used when applying for new financial accounts, cards, investments, etc.), bank details, and more, are now in the public domain. This is all the information and more that is needed for someone to steal your identity, to open credit cards in your name, to take out loans in your name, to commit tax fraud in your name, to commit insurance fraud in your name, to commit other crimes in your name, and so on. Your bitcoin might be safe if you change your email address and passwords, but your entire life is at risk.

I have no idea how the financial system works in India, but anyone effected by this should look in to placing a credit freeze on themselves to prevent other people taking out credit in their name. It is probably also worth reporting the leak of your data to the police so it is at least on file if problems should arise in the future.

These are the risks you take when you complete KYC anywhere.

[TimeTeller]

There's nothing to panic about if there's a BuyUcoin user here, you can simply change your password or if they are using emails they must also change this too.

This couldn't be further from the truth. There is a huge amount to worry about.

Sure, you can change your email and passwords to prevent attacks from accessing your exchange account, but you still have the issue that your name, address, PAN (which is very similar to a social security number, and is used when applying for new financial accounts, cards, investments, etc.), bank details, and more, are now in the public domain. This is all the information and more that is needed for someone to steal your identity, to open credit cards in your name, to take out loans in your name, to commit tax fraud in your name, to commit insurance fraud in your name, to commit other crimes in your name, and so on. Your bitcoin might be safe if you change your email address and passwords, but your entire life is at risk.

I have no idea how the financial system works in India, but anyone effected by this should look in to placing a credit freeze on themselves to prevent other people taking out credit in their name. It is probably also worth reporting the leak of your data to the police so it is at least on file if problems should arise in the future.

These are the risks you take when you complete KYC anywhere.

That would be the right approach on this case. Report it to authorities, so if in case, something comes up, you have your reference report.
You can't rely on just changing your email ad and password. The scammers know how to use those vital info in fraudulent activities.
So if you do really need to go thru KYC for any website, make sure the site is legit and not a fly-by-night business.

[Charles-Tim]

So if you do really need to go thru KYC for any website, make sure the site is legit and not a fly-by-night business.

But, if possible to limit the information we provide online will be good. Normally, we should even visit the legit sites rather than fake ones, because the fake sites are deadly and do more harm, and an easy way for phishing attacks. While the right sites are not perfect at all, using their negligence, centralized platforms and database to handle our data and leaking it to hackers. That is why some people should know the purpose of bitcoin is for privacy while centralized platforms are ready to compromised the privacy to hackers. Although, I just want to comment how we should limit the information we provide online and to be smart.

[libert19]

Commonly problem of a most centralized exchanger.

There's nothing to panic about if there's a BuyUcoin user here, you can simply change your password or if they are using emails they must also change this too.  Once it is breached, it easy for hackers to send emails or trying to log in and get the fund, but as an exchange said, users are protected with 2FA verification which is much better to protect their account if there is a transaction that will happen just like transferring of the fund.

Anyway, thanks for sharing here, probably users of this exchange will get alarmed too with this announcement.

I think the severity of information leaked is more of trouble here than someone trying to get into your buyucoin's account.

[DdmrDdmr]

<…>

If seems pretty dangerous for the people included in the data leak, by all means. Besides the expected set of phishing/smishing attempts in the name of any pretext, and emulating any sort of crypto related firm, there’s also the potential information to perform sim-swaps, or direct phone scams.

On top of that, bank details allow one to derive the bank entity, and depending on which entity, there’s enough information there to create an attack vector by impersonation through one of the contact channels, or redirect bills to a given bank account number.

[Lucius]

These are without a doubt golden times for all those who are primarily engaged in sending phishing messages of all types, and for those who are looking for as much information as possible about crypto users. First they got 292 000 Ledger users served on a silver platter, completely free - now another 325 000 users of this exchange - and if only 1% is naive and caught in a trap I have no doubt the losses will be significant.

I really don't know how to force companies to be more serious about storing user data, and the only thing that comes to my mind is that the authorities pass strict laws that would penalize such companies with high fines for behaving irresponsibly towards their clients. They say that this hack also contains wallet details, which means that someone could look for links between the Ledger database and this hack to connect the name and someone's balance.

[o_e_l_e_o]

I really don't know how to force companies to be more serious about storing user data, and the only thing that comes to my mind is that the authorities pass strict laws that would penalize such companies with high fines for behaving irresponsibly towards their clients.

You can perhaps correct me if I'm wrong here but wasn't there something in the EU's GDPR which allowed users who had their data leaked or breached to take legal action against the responsible company? I'm sure I remember reading something on the Ledger subreddit shortly after their hack about users who were going to take legal action against Ledger based on this legislation.

Still, hitting these companies with large fines, while it may act as a deterrent and encourage them to actually store database securely, will not prevent all hacks or leaks and does nothing to help the users who have been affected by a data breach. Regardless of what punishments are in place, you take a massive risk every time you complete KYC on any platform, regardless of how "well known" or "reputable" they are. The only safe KYC is no KYC.

[Lucius]

You can perhaps correct me if I'm wrong here but wasn't there something in the EU's GDPR which allowed users who had their data leaked or breached to take legal action against the responsible company?

Of course, there is a possibility of a lawsuit for what happened, but in order to initiate something like that, anyone who wants to go in that direction should know that such a process will not be short, easy, or cheap - and that the outcome does not have to be positive. There is something on this topic on our forum, see here.

Still, hitting these companies with large fines, while it may act as a deterrent and encourage them to actually store database securely, will not prevent all hacks or leaks and does nothing to help the users who have been affected by a data breach.

I think that a large fine would still have some result in handling the data, because maybe companies like Ledger in that case would decide to at least encrypt such databases - and when you look at how many companies have been hacked, you can't say anything else but conclude that they are very negligent when it comes to user data security. If something doesn't change in the way such data is stored, then things like this will continue to happen - and nothing will change if companies have almost no responsibility for what they do.

[o_e_l_e_o]

There is something on this topic on our forum, see here.

Yeah, that's what I was looking for. There was a lot of activity on Reddit in the week or two after the leak talking about lawsuits, but it all seems to have fizzled out. I wonder if anything will actually materialize against Ledger here.

I think that a large fine would still have some result in handling the data, because maybe companies like Ledger in that case would decide to at least encrypt such databases - and when you look at how many companies have been hacked, you can't say anything else but conclude that they are very negligent when it comes to user data security.

Yeah, that's my point. Ledger aren't the first and they definitely won't be the last crypto company to be hacked or breached for private data. It doesn't take an IT guru to suggest that confidential information should be stored encrypted and not on a public server, and yet, these databases are found wide open and unencrypted time and time again. If the financial and physical safety of their customers, as well as the blow to their own reputation and loss of revenue, is not enough to convince a company to take basic security measures, then I don't think the threat of a lawsuit or a fine will either.

These companies cannot be trusted to look after your data.

[Dave1]

As per their latest update:

UPDATED STATEMENT 22/01/2021

To whomsoever, it may concern.

Regarding the media report, we are thoroughly investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020.

Every BuyUcoin user with active portfolios has 3FA enabled trading accounts.

All our user's portfolio assets are safe and sound within a secure environment

95% of user's funds are kept in cold storage, inaccessible to any server breach.

Here’s a list of steps made to ensure that your account remains safe -

1. Strong Password and Account OTP Verification.

2. Google 2FA Authentication ( enable from security section under profile)

3. Trading Pin ( Under the security section, you can enable trading pin a six-digit code for transaction verification)

4. Also, as an extra step every transaction requires an OTP from your email.

Based on the internal investigation, we will be keeping you updated with the proceedings and conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security.

https://buyucoin.substack.com/p/official-statement-on-latest-data

Regardless if the data that the hackers got was just a dummy, or if this is just a rumor. Anyone who has an account on that exchanges should be encourage to update their password and follow this safety protocol.

[PhoenixZephyrus]

This is a very real problem with centralized exchanges like BuyUcoin, and the very reason why its ill advised to go with exchanges that force KYC.

There's nothing to panic about if there's a BuyUcoin user here, you can simply change your password or if they are using emails they must also change this too.

That is very much not true. These kind of data leaks are golden mines for phishing and other social engineering scams. A person could basically spoof being "you", and identity fraud is a very real threat, and pretty common in India. Banking phone call scams too are plenty common here. Do you know what a scammer could do with that kind of information, especially to the less tech-savvy people? And here in India, in most states, there is very little protection against these kind of cyber-security threats.

I have no idea how the financial system works in India, but anyone effected by this should look in to placing a credit freeze on themselves to prevent other people taking out credit in their name. It is probably also worth reporting the leak of your data to the police so it is at least on file if problems should arise in the future.

The cyber crime department of the police isn't really worth anything in here, so the reporting to police part probably isn't very much helpful in the sense that if you somehow screw up, the police basically tells you that you are helpless. Filing an FIR is probably helpful, but won't go much when someone knows THAT wide range of personal information about a person. You can basically ruin a life with that kind of leaked information.

[2double0]

This is the kind of reason we hate getting KYC'd for.
I wonder what will happen when these users' database goes on sale over darkweb? It will destroy the identity of many of those people who ever used this exchange and it is also a truth that many users of an exchange join it to use it once but usually go for a KYC taking into their mind that they will use it later, but never come back. What is their fault? What is customer's fault and why should they suffer?

[pakhitheboss]

Commonly problem of a most centralized exchanger.

There's nothing to panic about if there's a BuyUcoin user here, you can simply change your password or if they are using emails they must also change this too.  Once it is breached, it easy for hackers to send emails or trying to log in and get the fund, but as an exchange said, users are protected with 2FA verification which is much better to protect their account if there is a transaction that will happen just like transferring of the fund.

Anyway, thanks for sharing here, probably users of this exchange will get alarmed too with this announcement.

This is not that simple when you have sensitive bank information out and open for all scammers there will be  consequences. India does not have a concrete privacy law like other countries. Scammer and spammers are more found in India and there have been instances in the past where scammers were able to access the bank account of individuals just by having IFSC code and account number. So the situation is much more serious now then it looks like.

P.S - I do not hold any account with this exchange.

[MusaMohamed]

There's nothing to panic about if there's a BuyUcoin user here, you can simply change your password or if they are using emails they must also change this too.  Once it is breached, it easy for hackers to send emails or trying to log in and get the fund, but as an exchange said, users are protected with 2FA verification which is much better to protect their account if there is a transaction that will happen just like transferring of the fund.

2FA is a second layer of protection for exchanges and users out of steals from hackers. Unfortunately, it is not a perfect protection or prevention for all compromises. Exchanges when they are compromised can not sure their data base for users's 2FA codes will not be leaked and compromised. If hackers have access on email, passwords and 2FA codes, they can steal everything.

It can be a less risk when hackers have access on multi data base and users who carefully set 2FA for their accounts have less risks.

2FA when is used, should be 2FA applications and should not be SMS codes. Simswap attacks or sudden bans of SMS codes from governments or local telephone companies can bring troubles to exchange users. It is the fault and carelessness from users, not exchanges as they are not responsible for sudden policy changes from company or government.

Good exchanges remind users to use applicatons for 2FA, not SMS codes.

[jseverson]

-snip-

I could be wrong, but it seems like they haven't officially confirmed that the leak is actually legitimate? I checked their posts, and they haven't had any new updates.

Getting compromised is one thing, but the least they could do is warn the users who were potentially affected that they could be targets of phishing attacks/identity theft. I know they're probably doing this the way they are to avoid possible legal complications, but it's still incredibly scummy.

[o_e_l_e_o]

Filing an FIR is probably helpful, but won't go much when someone knows THAT wide range of personal information about a person.

Yeah, this looks similar to what I was referring to. Reporting to the police isn't going to change anything and they won't take any action against the exchange, but it means if a few months down the line you suddenly find yourself liable for $50,000 in debt someone has racked up in your name, you are more likely to be able to fight it.

2FA is a second layer of protection for exchanges and users out of steals from hackers

2FA does nothing to help here. I mean, obviously everyone should use app or hardware based 2FA for all their accounts, but it doesn't help protect you when the exchange has leaked all your personal information.

I know they're probably doing this the way they are to avoid possible legal complications, but it's still incredibly scummy.

The screenshots from the Twitter thread linked in OP show the leak is undoubtedly real. I wonder if they have emailed all their customers directly? As you say, very scummy to call them rumours and talk about securing trading accounts when they are obviously not rumours and trading accounts are the least of their customers' issues right now.

[MusaMohamed]

2FA is a second layer of protection for exchanges and users out of steals from hackers

2FA does nothing to help here. I mean, obviously everyone should use app or hardware based 2FA for all their accounts, but it doesn't help protect you when the exchange has leaked all your personal information.

Thank you. I said it in my post. I don't know the security mechanism of exchanges but I don't think as a company and with security experts, they will store all things at one place. Consequently, the chance for hackers to steal all data of users is small. They can hack and steal all data at one place but maybe it will not be enough.

If hackers have access on email, passwords and 2FA codes, they can steal everything.

It is similar to personal backup for exchange account as a crypto user. I don't back up my account information: email, password and 2FA code at one computer. 2FA code is saved in another computer or in my notebook. I don't save all of them in one location (in one computer or in one notebook).

[Charles-Tim]

It is similar to personal backup for exchange account as a crypto user. I don't back up my account information: email, password and 2FA code at one computer. 2FA code is saved in another computer or in my notebook. I don't save all of them in one location (in one computer or in one notebook).

Making use of password managers can help that do not connect online while it should be used also with having the backup offline on paper and protected against damages and attackers. But, it should still be noted that device backup are not safe even if offline because the processes of handling the device also matters. For example, if someone's device mistakenly install malware, there are some malware like trojan that can steal your computer's data for hackers in such a way all the information stored on it will become known, there has been a report of trojan horse that stole 2fa code and used to access the account protected by the 2fa, that is why I only prefer offline backup.

Offline backup carry great responsibility but it is still the best, triplicating it and storing it in different locations is safe. But, some people are careless and will like to use password manager, making sure it is not the type that synchronize online but completely offline, and avoiding malware on your devices like by visiting only the legit sites and careful of ads and the type of files you are downloading. Also like you commented that you have it on two devices, it can help not to lose the passwords but also a means of more chances of vulnerability.

Backup are necessary but offline ones on paper, metallic sheets and the likes are the best in my opinion but carry great responsibility.