Topic: Hacker Stole 1,000 Traders’ Personal Data From CryptoTrader.Tax (Read 625 times)

at this time we have to be really careful to store our assets because wallets on exchanges or centralized wallets can be very vulnerable to hacking
the safest way to store your cryptocurrency assets is in your own personal wallet or in a ledger
I hope everyone can be careful because there are currently a lot of exchanger hacks and phishing

I read the case in my opinion strange. How will the tax office know if a hacker is in there? or maybe this is one of the tactics of tax people to collect taxes from crypto traders?
For me, whatever the reason, it is wrong and violating someone's personal information

The funny thing is that I'm unsure what the hacker will actually gain from this attack, maybe they just happened to have a vulnerability within their systems and it is sheer coincidence that they are in the cryptocurrency space. It would seem that people using the services of a cryto service with "tax" in the name are the kind of people who want to stay on the right side of the law when it comes to accurate accounting trails. I guess it could be useful for later phishing attempts or more specific targeting of owners with big holdings, but by itself it does not seem like a major risk to the people who were compromised - anyone with an ounce of sense should have unique credentials across different sites so that avenue is useless.

The case is nearly a year old, but since this thread has resurfaced, it’s worth mentioning that the breached data details don’t seem to be crystal clear, although we know that over 1k emails and 13k rows of information were obtained during the hack. I’ve been looking around for further detail of the involved data fields, but came out empty handed.

It’s fair to assume that perhaps at least some specific crypto names and amounts were involved. Their software (see https[colon]//cryptotrader[dot]tax/cryptocurrency-tax-reports) also details information to generate the IRS Form 8949, which includes name and SS number, so this detail of information could have been compromised, although the claims say they weren’t:

https://tokenpost.com/More-than-1000-users-affected-in-a-cryptocurrency-tax-reporting-service-hack-5712

With the above, and assuming the limited scope, fraudsters/hackers should not have been able to directly obtain access to the crypto of those involved in the hack (it would have to involve credentials to custodial wallets, which is unlikely to be stored in this type of application; private keys are out of the question here).

Nevertheless, they could have used social engineering to try to trick/scam/blackmail/phish a few of the 1K affected by the hack. It will also depend on the time it took between the events took place (April 2020) and when they were actually communicated to those involved (general public was made aware months later, but those affected were possibly told before).

Judging from the article it's only a rough conclusion because the hacker managed to get into a database where the hacker was able to view support center details in the material and download a file containing 13,000 lines of information, including 1,082 unique email addresses, Kemmerer said.
this is of course very reasonable because speculation like this must happen because basically the hacker is not likely to hack something just for fun.
besides that there must be some traces left because not all hackers play cleanly and only the pros are like that

This is what I meant by web 3.0. I did not mean to preserve privacy by using a VPN, web 3.0 means that there should be a blockchain for the Internet so that our data is stored on the blockchain and not on the site. In this way, all data is safe and difficult to hack or steal, and also cannot be sold (By the site itself) to someone else as it happens now.

Lately we are realizing that there is vulnerability in the platforms due to the frequency of how these hackers violate the security of the systems. We need more robust websites especially in the crypto field. What remains for us is to be more attentive to the websites we visit.

But on that case that they have personal data of different users, they can steal money whenever they want. Personal information and details are very very important and shouldn't be ignored because the fate of your account is dependent on that. If they know the password of your account then it is more likely that you are the next target and you will suffer the most. Centralized platforms are somehow good but still it do have a downside. All of the things in the world have advantages and disadvantages that's why you need to deal with both. Hackers are unstoppable and unpredictable when they will act or move, so always be aware and mindful.

that web 3.0 you said sounds cool but web decentralization can be achieve by using private internet like vpn's .

no one can trace you that way but there still a problem , what if the site is still centralized ? hackings and stealings can still occur .  i heard that many businesses are now planning to support blockchain on thier system. this step can be the only solution to solve major problems that we faced day by day .

Personally I think an insider must have been involved in the security breach involving cryptoTrader.Tax, he must have been responsible for sharing some important and vital documents for the hacker to gain easy access to the site so as to perpetuate the crime,  hackers are getting sophisticated in their performing the dastardly act of hacking thus exchanges and other crypto sites must ensure that their security firewall must be well fortified.
A through investigation must be made to ascertain those involved and an arrest must be made, while those culpable for the hack must be prosecuted this will serve as deterrent to other hackers.

This idea that everything can be prevented is a mistake, hackers are very smart and if needed they can wait for years in order to obtain the necessary information to make their hacks a reality, it is impossible to stop something that you do not see and hackers are experts at hiding themselves in plain sight, what this demonstrates is that the idea of giving your information to a centralized institution and relying on them to protect it is flawed.

We need to move to true decentralization in which exchanges do not ask for that kind of information that way hackers cannot steal it because they simply do not have it, but obviously many entities are against this because this limits their power.

This is a very dangerous scenario.

Lots of clients information were stored in their database that’s why they must protect and secure it as strictly as they can. The information and profiling of a client should not be leaked as it holds a vital role in accessing their accounts and their transactions. With this happened, the hacker can anytime use their information for wrongdoings and can possibly monitor them or steal from them.

The cryptotrader.tax should’ve prevented this from happening if only they put high and strict security measures to prevent hackers from penetrating their website database. They must really took steps to improve their security to earn their current and future customers trust again. They must look into all angles as it is possible that an inside job happened.

May this become a lesson for each companies to always maintain the strict security measures of their websites and database. A little negligence from their responsibilities can surely cost them a lot if something like this happens.

This and other similar hacking incidents underscore the need to accelerate the transition to Web 3.0 or the decentralized Internet, where user data is stored on a data blockchain and it is difficult or impossible to hack this data.
Of course, this is one of the biggest disadvantages of centralization when you give your data to any central site, whether an exchange, platform, customer service, or anything, your data is in danger because the site can be hacked, as happened here, or it can be stolen by the employees on the site itself.

While this is correct for the most part people are very lazy when it comes to their security, they prefer to use one email for every single one of their accounts and even sometimes they use the same password, I have no doubt that the hackers know this and they are trying to get access to all the accounts they got in this hack to try to steal money or even more information out of them.

And this is something that I have always found confusing, it is true that it is a little bit more of work to create more email accounts and different passwords for each one of your accounts but it is completely necessary, because in this market once you lose your coins you lose them for good with no possibility to get them back.

The damage doesn't seem to be that serious, but I guess we can only see that when the hacker starts using the data they stole to their advantage. I bet it wasn't the core of the company's security system that was breached but just one employee's account. I wonder if "took steps to improve security measures and monitoring systems across internal and third-party applications" also includes informing the owners of the compromized accounts and compensating those that took a huge toll from the breach.

Thats why is better to not share with anyone any kind of personal data in crypto

Anonylz, It is a well-known fact that humans are the weakest link in the security chain no matter how it is conceived and set up. If you have, say, a hundred employees, 99 of whom are honest and conscientious and know what they are doing - and you have one with bad intentions who has access to all databases, then all security procedures make no sense.

Take, for example, what Snowden did to one of the world's most powerful security agencies when he took a pile of confidential documents and handed them over to the media - who could have ever predicted and prevented that?

People's personal information keeps getting compromise every time when this platform owners fails to have a strong security, why does it feel like a deliberate act, why is it so easy this days to get hacked even though security should be a top priority.

What then to say about Ledger and their data leak which compromised about 1 million user emails, and in addition for 9500 people all personal data including full name, address and phone number were stolen. When I see these only 1000 potentially vulnerable clients it seems like a drop in the ocean, of course I'm not happy that it happened - but there are a lot of worse cases that have compromised the security of crypto users.

In addition to hacking databases, it should be taken into account that our data is also subject to trade between companies - they of course always deny it, but if they are discovered they claim to have been hacked...

If the hacker was able to get the passwords from the stolen data then it's clear that their security was weak.
Even if someone access the database then the password should not be so easily retrieved.
Developers generally hash the passwords so that it cannot be stolen easily.
This shows how weak security the exchange had. I guess this is why the hacker chose this site for their attack.