Kroll data breach exposes info of FTX, BlockFi, Genesis creditors

[Potato Chips]

It's scary to think that companies out there are still relying on SMS/phone numbers for securing important employee accounts. The article did mention MFA but why bother adding SMS/phone number? and who knows what is included in their MFA.

Kroll, who is facilitating claims for insolvent companies FTX, BlockFi, and Genesis Global Holdco, has confirmed that one of its employees was the victim of a SIM-swapping attack.

Hackers stole the Kroll employee's phone number and used it to gain access to some files with personal data of bankruptcy claimants.

Of course, the employee in question was a T-mobile user. If you're a T-mobile user, I suggest looking into all the sim swap accidents they've been in lol

In a statement today, Kroll says that a threat actor on August 19 targeted a T-Mobile account belonging to a Kroll employee and managed to steal the phone number of a Kroll employee.

Genesis affected users has had the following leaked: full names, physical addresses, email addresses, and debtor claim details. FTX claims no-sensitive data has been compromised but I'm not sure I trust it.

In any case, if you submitted a claim on kroll, be extra careful with phishing scams cause it's safe to assume perps are gonna attempt it a lot.

[1714596334]

1714596334

[noorman0]

It's scary to think that companies out there are still relying on SMS/phone numbers for securing important employee accounts. The article did mention MFA but why bother adding SMS/phone number? and who knows what is included in their MFA.

By the way, the official ftx claim page also relies on SMS verification. Don't know how often claim reminders are sent to former users, recently someone got a similar email back. Just hope it's not from the Kroll hacker this time.

The ftx claims portal on Kroll is still under maintenance.

[joniboini]

This is why I don't believe projects that claim they use secure encryption or whatever to secure their customers' data. If they end using an insecure setup like this it doesn't even matter if they don't have their user's data in plain text.

Btw, I heard that SIM swap attacks are popular in the US, so how come there is no protection against them from their side?

[o_e_l_e_o]

I've said it before and I'll say it again - the only safe KYC is no KYC.

It's scary to think that companies out there are still relying on SMS/phone numbers for securing important employee accounts.

It's so incompetent it would be funny, if it wasn't so alarming. These are the entities you are entrusting your data to every time you complete KYC. Entities whose employees have so much information publicly available about them that they can be SIM swapped with ease, and who have access to your sensitive information via just their phone.

FTX claims no-sensitive data has been compromised but I'm not sure I trust it.

In what world is your full name, physical address, and how much money you were storing on these scam platforms not sensitive data? You've just made every single one of those users a target for physical attacks, especially any with a large number of coins.

Pretty laughable that they state "client funds" haven't been impacted. What funds? Everyone lost all their funds when these scam platforms collapsed, remember?

What a complete shitshow. The number of reasons you should avoid centralized exchanges continues to grow exponentially.

[Synchronice]

Of course, the employee in question was a T-mobile user. If you're a T-mobile user, I suggest looking into all the sim swap accidents they've been in lol

Of course everything happens to T-mobile but you can't deny that their servers and arrays are the most protected ones out there.
Here is the proof:

Genesis affected users has had the following leaked: full names, physical addresses, email addresses, and debtor claim details. FTX claims no-sensitive data has been compromised but I'm not sure I trust it.

In any case, if you submitted a claim on kroll, be extra careful with phishing scams cause it's safe to assume perps are gonna attempt it a lot.

There is no company that will say that sensitive data has been leaked but the real problem is that people don't care about their privacy and the fact that their identity has been leaked. All I hear from people is that: Let them have images of my document, what can they do? And how are you gonna fight against KYC when majority of people don't really care about their privacy and are willing to send their documents to anyone without hesitation? There are even scam call centers that ask people for their debit card numbers and people tell it to them.

[Darker45]

When I first read this news, I was surprised how seemingly easy it is for somebody to have unauthorized access to valuable data. I immediately thought something fishy must be going on. I suspected a planned sabotage on the claims of FTX and others is underway. Or they will use this self-inflicted breach in the future as an excuse over something they don't want to be held accountable.

I wonder how Kroll, a risk solution company that has been operating for many decades, is this lax and complacent in terms of data security. How could they even passed the standard or audit, if there is, of this kind of business with this level of security? And they're catering large financial institutions.

The reports just mentioned in passing that the "attackers bypassed MFA." Don't they feel the extreme necessity to provide details how it all happened just like that?

[o_e_l_e_o]

I wonder how Kroll, a risk solution company that has been operating for many decades, is this lax and complacent in terms of data security.

People often equate companies being large, long running, or well known as meaning these companies know what they are doing. This is not the case. The biggest tech companies in the world - Microsoft, Apple, Google, Meta, and so on - have all experienced multiple data breaches. The same is true for all the biggest centralized exchanges in the crypto space have experience multiple data breaches, and yet people do not seem to care. Why would they spend their profits on advanced security systems when they know they can get away with spending the bare minimum? As soon as you've completed KYC anywhere, your data is at risk.

The reports just mentioned in passing that the "attackers bypassed MFA." Don't they feel the extreme necessity to provide details how it all happened just like that?

If an attacker can "bypass MFA" using only a phone number, then it means their MFA was simply an SMS message, which is widely known to be the most insecure MFA method there is. They probably won't reveal any details because it will highlight just how amateurish their whole set up is.

[examplens]

People often equate companies being large, long running, or well known as meaning these companies know what they are doing. This is not the case. The biggest tech companies in the world - Microsoft, Apple, Google, Meta, and so on - have all experienced multiple data breaches. The same is true for all the biggest centralized exchanges in the crypto space have experience multiple data breaches, and yet people do not seem to care. Why would they spend their profits on advanced security systems when they know they can get away with spending the bare minimum? As soon as you've completed KYC anywhere, your data is at risk.

I'm pretty sure that the majority of cases with compromised user data do not happen due to hacks or similar unauthorized security breaches. It is much worse for the company's reputation and trust if it happened because they sold data, regardless of whether it was planned or just some disgruntled employee did it.
Why would any company keep online KYC data, despite all the security protocols?

I would draw a parallel with the popular excuse for exchanges, where they went bankrupt as a result of the hack, and the truth is that they just wanted to leave with the money and declare bankruptcy. A great way to accuse an unknown person-s of your "mistakes".

[Yamane_Keto]

a simple SIM-swapping attack led to move sensitive data to a third party, and this data is full names, physical addresses, email addresses, which were not encrypted or there was a single point of failure. I don't believe that. This either indicates a lack of care, or that they wanted to leak that data (or lost it for some reason) and now they are blaming one of the employees.

In any case, a lawsuit can easily be filed against them accusing them of negligence in saving user data, but it is better to try to reduce the data you give to any third party, especially if the servers are outside your country.

I began to feel that hacking large institutions is becoming easier day after day, or that they do not care about that.

[mk4]

Btw, I heard that SIM swap attacks are popular in the US, so how come there is no protection against them from their side?

Yes — it seems to be happening at least mostly in the US(most of not all the news I've read has been in the US). I don't think it's necessarily because there's no protection — it's more of the fact that most employees are probably untrained for this type of social engineering attack. I know it's a hassle, but these telecom companies should probably require the user to show up in person to be able to do a sim swap.

[o_e_l_e_o]

I'm pretty sure that the majority of cases with compromised user data do not happen due to hacks or similar unauthorized security breaches. It is much worse for the company's reputation and trust if it happened because they sold data, regardless of whether it was planned or just some disgruntled employee did it.

Does it matter, though? Many of the big exchanges sell data too. Coinbase for example admitted they were selling sensitive user information to third parties without the users' knowledge or consent. Did it affect them in the slightest? Binance were hacked for thousands of users' worth of KYC data. Did it affect them in the slightest? These exchanges can do anything they like with your data and people simply don't care.

Why would any company keep online KYC data, despite all the security protocols?

Because it's cheap, and as above, they don't need to waste their money on proper security because they know their users will suck it up when their data is inevitably leaked.

I don't think it's necessarily because there's no protection — it's more of the fact that most employees are probably untrained for this type of social engineering attack.

Add in that 90% of the population voluntarily share enough information about their lives across multiple social media platforms to make social engineering now trivially easy.

[bbc.reporter]

I've said it before and I'll say it again - the only safe KYC is no KYC.

It's scary to think that companies out there are still relying on SMS/phone numbers for securing important employee accounts.

It's so incompetent it would be funny, if it wasn't so alarming. These are the entities you are entrusting your data to every time you complete KYC. Entities whose employees have so much information publicly available about them that they can be SIM swapped with ease, and who have access to your sensitive information via just their phone.

FTX claims no-sensitive data has been compromised but I'm not sure I trust it.

In what world is your full name, physical address, and how much money you were storing on these scam platforms not sensitive data? You've just made every single one of those users a target for physical attacks, especially any with a large number of coins.

Pretty laughable that they state "client funds" haven't been impacted. What funds? Everyone lost all their funds when these scam platforms collapsed, remember?

What a complete shitshow. The number of reasons you should avoid centralized exchanges continues to grow exponentially.

Also, if anyone of you has shared your affiliate link and pnl card, you will be exposing your real identity because FTX links use your account ID. Hackers can link your social media and forum accounts to your FTX account and real identity.

[rdluffy]

I was one of those whose FTX account was blocked because of this leak, yesterday and today I've already received 3 emails from mail@networkforgood.com:



Be careful guys
They probably got the emails from this leak

[TryNinja]

I was one of those whose FTX account was blocked because of this leak, yesterday and today I've already received 3 emails from mail@networkforgood.com:

-img-

Be careful guys
They probably got the emails from this leak

I also got one from the same sender (mail@networkforgood), but pretending to be BlockFi instead of FTX.



My FTX account wasn't blocked, so I don't think it got leaked?

[Rikafip]

My FTX account wasn't blocked, so I don't think it got leaked?

Afaik, anyone who has FTX account and submitted claim via Kroll got his info leaked, therefore started getting these phishing emails few days ago (at least based on experience of couple of people I know) after the news that debtors could get part of their deposit back during Q2 2024.

[Z-tight]

Be careful guys
They probably got the emails from this leak

Yes, that is surely where they got the email addresses of customers', with every data breach or leak, there is always a wave of phishing attacks that follow. This data breach occurred sometime in August, and if it is true that customers only started receiving phishing attacks this month, could it be that the attackers were careful not to start the attack when the news of this breach was still fresh in people's minds?

People should be careful so they don't lose more money in addition to what they lost in these collapsed services.

[rdluffy]

I also got one from the same sender (mail@networkforgood), but pretending to be BlockFi instead of FTX.

...

My FTX account wasn't blocked, so I don't think it got leaked?

I thought that only those whose accounts had been blocked by FTX had received this e-mail, because the data had been leaked. Now I have some doubts...

Afaik, anyone who has FTX account and submitted claim via Kroll got his info leaked, therefore started getting these phishing emails few days ago (at least based on experience of couple of people I know) after the news that debtors could get part of their deposit back during Q2 2024.

They may all have their emails leaked after all 

Yes, that is surely where they got the email addresses of customers', with every data breach or leak, there is always a wave of phishing attacks that follow. This data breach occurred sometime in August, and if it is true that customers only started receiving phishing attacks this month, could it be that the attackers were careful not to start the attack when the news of this breach was still fresh in people's minds?

People should be careful so they don't lose more money in addition to what they lost in these collapsed services.

It's probably what Rikafip already mentioned, after the news came out that FTX is submitting a document to pay users in 2024, they released these emails to try and fool someone

[mescalito]

Currently messages from mail@flocknote.com linking cases-kroll.com are coming 

[TryNinja]

Currently messages from mail@flocknote.com linking cases-kroll.com are coming 

Just got another email (this is the second). Didn't get automatically marked as spam by Gmail, so straight to my email box.

Urgent Notice <mail@flocknote.com>

Dear Interest Account Clients,

We are excited to announce to our customers the ability to withdraw their assets from our platform has been re-opened for the next 24 hours.
Any assets not withdrawn before the deadline will be accessible in the upcoming months.

Initiate Withdrawal

If you have any questions, please contact Kroll through the following channels:
Email: blockfiinfo@ra.kroll.com
Website: https://restructuring.ra.kroll.com/blockfi
 
Sent by BIA Alerts

Sent through https://flocknote.com