Led by Noam Rotem and Ran Locar, our research team discovered a database leak in YouHodler’s system. The platform makes it easy for users to request crypto-loans or to convert their crypto-holdings to fiat currencies. The breach exposed a huge amount of data. There were over 86 million records that included users’ full names, email addresses, addresses, phone numbers, birthdays, credit card numbers, CVV numbers, full bank details, and in some cases crypto wallet addresses. The implications of this breach are extensive. We contacted YouHodler on July 22. YouHodler responded on July 23 and subsequently closed the breach.
Examples of Entries in the Database
YouHodler is considered one of the first FinTech platforms that help users convert their crypto holdings into conventional currencies, instantly. Users can also take out cryptocurrency loans by putting up their current crypto-holdings as collateral. According to the YouHodler website, they’ve processed more than $10 million in transactions for 3500 customers. YouHodler’s user base spans more than 35 countries globally. Some of the countries affected include the United States, Canada, the UK, France, and Russia. Data included in the breach:
Full names Email addresses Addresses Phone numbers Passport or ID numbers Birthdays Passwords hashed with SHA-256 Credit card numbers CVV numbers Bank details Crypto wallet addresses
In our first example, we discovered YouHodler is storing users’ CVV numbers, tagged as “identity.” Furthermore, these numbers were entirely unencrypted. Here, we don’t have the user’s full card information, only the BIN and the last four digits. However, the rest of the user’s card data was easy to find.
It was a small leap from the first example to find the remainder of this user’s card data. Here, we found the card number in full, stored in plain text as well as the expiration date, but without the CVV number. However, the first example shows that we still found all of the details needed to take full control of the card - including CVV numbers. Though the card holder’s name isn’t in either of these logs, numerous other records stored both names and credit card numbers together.
In this log, we have the user’s full name and address, in addition to all of their bank details. This includes their account number, SWIFT code, and the bank’s address as well. The data for this user was even more extensive, however.
It was simple to link the account above to the Bitcoin wallet address. While the contents of crypto-wallets are publicly available, they are purposely anonymous. Linking a name and address to a wallet could have serious consequences.
YouHodler does store password data, but uses a SHA-256 hash. This is a robust encryption algorithm that is difficult to break. We also see the user’s email address here, which was present in a variety of different logs.
We also discovered a series of logs that included users’ full names, birthdays, nationalities, as well as a number that appeared to be a passport or ID number.
This particular record indicates that the user comes from Egypt.
This log shows that YouHodler is also storing customer phone numbers.
This links a single user with all of their crypto-wallets. Even without user data directly connected to every single one of these wallet addresses, this single log could expose all of a user’s crypto-holdings.
Data Breach Impact
The nature of the data that leaked from YouHodler’s database could have serious consequences. Any platform that stores credit card data should be taking several security precautions. If YouHodler only stored the BIN and last four digits of user credit cards, there wouldn’t be as much of an impact in this regard. However, with full, unencrypted credit card numbers, CVV numbers, expiration dates, and cardholder names, a bad actor would have complete control over a user’s credit card. Furthermore, having storing CVV numbers is a violation of the PCI regulations imposed by credit card companies. This could be used to run up fraudulent charges and as a means of authentication for other accounts that belong to the user. It’s always dangerous to have a user’s full address; however, the threat increases when it’s connected to their financial information. Thieves would have more cause to target users who have a more significant sum in their crypto-holdings. They could also use the bank information present to choose wealthy targets for a variety of in-person attacks. For users who didn’t have their addresses exposed, this doesn’t mean that they’re safe from theft. A connection between a user’s wallet and their email address makes it easy for those with malicious intent to execute targeted phishing attempts. Though most governments have their own means for uncovering crypto-users who are hiding their assets, this data breach could be another channel for discovery. Because enough logs link users to their wallets, governments can use this information to see if these users have unpaid taxes on their crypto holdings. Attaching users to their crypto-wallets can have more dangerous consequences, however. Some governments, such as Egypt, have explicitly banned cryptocurrencies. We found clear examples in the data of YouHodler users from Egypt. A breach of this sort also makes it easier to track users who use their crypto-holdings for illegal activities. Many hide behind the anonymity of crypto and the dark web in order to commit crimes. It does take a higher level of technical knowledge; however, this leak could give those with the know-how the information they need to expose these crimes. In addition to the direct theft and threats that are possible as a consequence of this leak, the amount of information included in the database makes stealing a users identity a simple task. A lot of identity verification questions can be answered from the leaked data. Since some sort of passport or ID number was also present, it’s also possible to forge official documents. Lastly, if a user were involved in a lawsuit that requires a division of assets, the outcome would be drastically different if their crypto assets were discovered.
Advice from the Experts
YouHodler could have prevented a data breach of this sort with several basic security measures. The following tips are the beginning steps to avoid or patch a leak in a database. For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.
How We Discovered the Breach
We found the leak in YouHodler’s database as part of our web-mapping project. Ran and Noam examine ports to find known IP blocks. Once they’ve discovered IP blocks, they look for holes in the system that would indicate an open database. Using their technical expertise, they can confirm the identity of a leak to trace the data back to its owner. Our research term could have downloaded and sold the data exposed in this breach at massive personal gain. However, as ethical hackers and researchers, we believe that benefiting from a data breach is unethical. That’s why we notify the database’s owner and where possible, the people who have been affected. Our goal with this project is to create a safer and more secure internet for all users.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data. We recently discovered a massive data breach impacting 78 thousand patients taking Vascepa. We also revealed that Orvibo Smart Home systems were leaking billions of sensitive user records. You may also want to read our VPN Leak Report and Data Privacy Stats Report. Please share this report on Facebook or tweet it.