Pages:
Author

Topic: Hacker Stole 1,000 Traders’ Personal Data From CryptoTrader.Tax (Read 635 times)

full member
Activity: 1274
Merit: 104
HEX: Longer pays better
at this time we have to be really careful to store our assets because wallets on exchanges or centralized wallets can be very vulnerable to hacking
the safest way to store your cryptocurrency assets is in your own personal wallet or in a ledger
I hope everyone can be careful because there are currently a lot of exchanger hacks and phishing
full member
Activity: 726
Merit: 100
I read the case in my opinion strange. How will the tax office know if a hacker is in there? or maybe this is one of the tactics of tax people to collect taxes from crypto traders?
For me, whatever the reason, it is wrong and violating someone's personal information
legendary
Activity: 2688
Merit: 1192
A hacker has stolen data on more than 1,000 users from CryptoTrader.Tax, an online service used to calculate and file taxes on cryptocurrency trades.

The hacker broke into a CryptoTrader.Tax marketing and customer service employee’s account on a support center platform, according to a source who came across the hacker on a dark web forum. With this access, the hacker could see customers’ names, email addresses, payment processor profiles and messages sometimes containing cryptocurrency incomes.

The hacker then screengrabbed samples of this sensitive information, posted them on the forum to entice potential buyers of the data trove and sent additional pictures to the source, who shared this evidence with CoinDesk.

David Kemmerer, a co-founder and the chief executive of CryptoTrader.Tax, confirmed to CoinDesk that a hacker gained unauthorized access on April 7 to the marketing and customer service employee’s account. The hacker was able to see support center details in the materials and downloaded a file containing 13,000 rows of information, including 1,082 unique email addresses, Kemmerer said.

CryptoTrader.Tax’s security team investigated the breach and found tax filing account passwords and CryptoTrader.Tax’s website were not compromised, Kemmerer said. The team then alerted parties affected by the breach and took steps to improve security measures and monitoring systems across internal and third-party applications, Kemmerer said.

https://www.coindesk.com/hacker-cryptotrader-tax


The funny thing is that I'm unsure what the hacker will actually gain from this attack, maybe they just happened to have a vulnerability within their systems and it is sheer coincidence that they are in the cryptocurrency space. It would seem that people using the services of a cryto service with "tax" in the name are the kind of people who want to stay on the right side of the law when it comes to accurate accounting trails. I guess it could be useful for later phishing attempts or more specific targeting of owners with big holdings, but by itself it does not seem like a major risk to the people who were compromised - anyone with an ounce of sense should have unique credentials across different sites so that avenue is useless.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
This data includes data that allows fraudsters to steal the funds of these traders?
The case is nearly a year old, but since this thread has resurfaced, it’s worth mentioning that the breached data details don’t seem to be crystal clear, although we know that over 1k emails and 13k rows of information were obtained during the hack. I’ve been looking around for further detail of the involved data fields, but came out empty handed.

It’s fair to assume that perhaps at least some specific crypto names and amounts were involved. Their software (see https[colon]//cryptotrader[dot]tax/cryptocurrency-tax-reports) also details information to generate the IRS Form 8949, which includes name and SS number, so this detail of information could have been compromised, although the claims say they weren’t:
Quote
CryptoTrader.Tax users had to enter their billing information the payment processor Stripe to pay for their subscriptions. However, Stripe assured that, while its system is connected to the hacked CryptoTrader.Tax support center platform, the link does not reveal sensitive user info such as credit, debit, and banking information as well as the physical addresses of its clients. As such, only customer email addresses and the general location was exposed by the hack.

https://tokenpost.com/More-than-1000-users-affected-in-a-cryptocurrency-tax-reporting-service-hack-5712

With the above, and assuming the limited scope, fraudsters/hackers should not have been able to directly obtain access to the crypto of those involved in the hack (it would have to involve credentials to custodial wallets, which is unlikely to be stored in this type of application; private keys are out of the question here).

Nevertheless, they could have used social engineering to try to trick/scam/blackmail/phish a few of the 1K affected by the hack. It will also depend on the time it took between the events took place (April 2020) and when they were actually communicated to those involved (general public was made aware months later, but those affected were possibly told before).
member
Activity: 327
Merit: 12
I'm just wondering how they know the other information such as the passwords are not in custody of the hacker. It is not unbelievable to see hacker stealing information but it become worrisome when they have direct access to your account. The hacker might not compromise the password by changing it but might know the passwords. This is part of the reason why people have not supporting centralized platforms
Judging from the article it's only a rough conclusion because the hacker managed to get into a database where the hacker was able to view support center details in the material and download a file containing 13,000 lines of information, including 1,082 unique email addresses, Kemmerer said.
this is of course very reasonable because speculation like this must happen because basically the hacker is not likely to hack something just for fun.
besides that there must be some traces left because not all hackers play cleanly and only the pros are like that
legendary
Activity: 1848
Merit: 1982
Payment Gateway Allows Recurring Payments

that web 3.0 you said sounds cool but web decentralization can be achieve by using private internet like vpn's .

no one can trace you that way but there still a problem , what if the site is still centralized ? hackings and stealings can still occur .  i heard that many businesses are now planning to support blockchain on thier system. this step can be the only solution to solve major problems that we faced day by day .

This is what I meant by web 3.0. I did not mean to preserve privacy by using a VPN, web 3.0 means that there should be a blockchain for the Internet so that our data is stored on the blockchain and not on the site. In this way, all data is safe and difficult to hack or steal, and also cannot be sold (By the site itself) to someone else as it happens now.
member
Activity: 1358
Merit: 81
Lately we are realizing that there is vulnerability in the platforms due to the frequency of how these hackers violate the security of the systems. We need more robust websites especially in the crypto field. What remains for us is to be more attentive to the websites we visit.
sr. member
Activity: 1120
Merit: 272
First 100% Liquid Stablecoin Backed by Gold
I'm just wondering how they know the other information such as the passwords are not in custody of the hacker. It is not unbelievable to see hacker stealing information but it become worrisome when they have direct access to your account. The hacker might not compromise the password by changing it but might know the passwords. This is part of the reason why people have not supporting centralized platforms

But on that case that they have personal data of different users, they can steal money whenever they want. Personal information and details are very very important and shouldn't be ignored because the fate of your account is dependent on that. If they know the password of your account then it is more likely that you are the next target and you will suffer the most. Centralized platforms are somehow good but still it do have a downside. All of the things in the world have advantages and disadvantages that's why you need to deal with both. Hackers are unstoppable and unpredictable when they will act or move, so always be aware and mindful.
full member
Activity: 1750
Merit: 118
This and other similar hacking incidents underscore the need to accelerate the transition to Web 3.0 or the decentralized Internet, where user data is stored on a data blockchain and it is difficult or impossible to hack this data.
Of course, this is one of the biggest disadvantages of centralization when you give your data to any central site, whether an exchange, platform, customer service, or anything, your data is in danger because the site can be hacked, as happened here, or it can be stolen by the employees on the site itself.

that web 3.0 you said sounds cool but web decentralization can be achieve by using private internet like vpn's .

no one can trace you that way but there still a problem , what if the site is still centralized ? hackings and stealings can still occur .  i heard that many businesses are now planning to support blockchain on thier system. this step can be the only solution to solve major problems that we faced day by day .
sr. member
Activity: 2842
Merit: 326
Vave.com - Crypto Casino
Thats why is better to not share with anyone any kind of personal data in crypto
Personally I think an insider must have been involved in the security breach involving cryptoTrader.Tax, he must have been responsible for sharing some important and vital documents for the hacker to gain easy access to the site so as to perpetuate the crime,  hackers are getting sophisticated in their performing the dastardly act of hacking thus exchanges and other crypto sites must ensure that their security firewall must be well fortified.
A through investigation must be made to ascertain those involved and an arrest must be made, while those culpable for the hack must be prosecuted this will serve as deterrent to other hackers.
hero member
Activity: 2814
Merit: 734
Bitcoin is GOD
The cryptotrader.tax should’ve prevented this from happening if only they put high and strict security measures to prevent hackers from penetrating their website database. They must really took steps to improve their security to earn their current and future customers trust again. They must look into all angles as it is possible that an inside job happened.
This idea that everything can be prevented is a mistake, hackers are very smart and if needed they can wait for years in order to obtain the necessary information to make their hacks a reality, it is impossible to stop something that you do not see and hackers are experts at hiding themselves in plain sight, what this demonstrates is that the idea of giving your information to a centralized institution and relying on them to protect it is flawed.

We need to move to true decentralization in which exchanges do not ask for that kind of information that way hackers cannot steal it because they simply do not have it, but obviously many entities are against this because this limits their power.
sr. member
Activity: 2436
Merit: 455
This is a very dangerous scenario.

Lots of clients information were stored in their database that’s why they must protect and secure it as strictly as they can. The information and profiling of a client should not be leaked as it holds a vital role in accessing their accounts and their transactions. With this happened, the hacker can anytime use their information for wrongdoings and can possibly monitor them or steal from them.

The cryptotrader.tax should’ve prevented this from happening if only they put high and strict security measures to prevent hackers from penetrating their website database. They must really took steps to improve their security to earn their current and future customers trust again. They must look into all angles as it is possible that an inside job happened.

May this become a lesson for each companies to always maintain the strict security measures of their websites and database. A little negligence from their responsibilities can surely cost them a lot if something like this happens.
legendary
Activity: 1848
Merit: 1982
Payment Gateway Allows Recurring Payments
This and other similar hacking incidents underscore the need to accelerate the transition to Web 3.0 or the decentralized Internet, where user data is stored on a data blockchain and it is difficult or impossible to hack this data.
Of course, this is one of the biggest disadvantages of centralization when you give your data to any central site, whether an exchange, platform, customer service, or anything, your data is in danger because the site can be hacked, as happened here, or it can be stolen by the employees on the site itself.
hero member
Activity: 2814
Merit: 734
Bitcoin is GOD
this is yet another reminder to use a different email address for every service though---if it gets leaked, no big deal.

And in fact this is possible, just create as many protonmail emails as you want. Though if they only stole email addresses and names then the worst they can do with it is get revenue by selling them to marketers that will send you spam offers. That would be pretty juvenile of them.
While this is correct for the most part people are very lazy when it comes to their security, they prefer to use one email for every single one of their accounts and even sometimes they use the same password, I have no doubt that the hackers know this and they are trying to get access to all the accounts they got in this hack to try to steal money or even more information out of them.

And this is something that I have always found confusing, it is true that it is a little bit more of work to create more email accounts and different passwords for each one of your accounts but it is completely necessary, because in this market once you lose your coins you lose them for good with no possibility to get them back.
member
Activity: 122
Merit: 20
The damage doesn't seem to be that serious, but I guess we can only see that when the hacker starts using the data they stole to their advantage. I bet it wasn't the core of the company's security system that was breached but just one employee's account. I wonder if "took steps to improve security measures and monitoring systems across internal and third-party applications" also includes informing the owners of the compromized accounts and compensating those that took a huge toll from the breach.
full member
Activity: 416
Merit: 103
Thats why is better to not share with anyone any kind of personal data in crypto
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Anonylz, It is a well-known fact that humans are the weakest link in the security chain no matter how it is conceived and set up. If you have, say, a hundred employees, 99 of whom are honest and conscientious and know what they are doing - and you have one with bad intentions who has access to all databases, then all security procedures make no sense.

Take, for example, what Snowden did to one of the world's most powerful security agencies when he took a pile of confidential documents and handed them over to the media - who could have ever predicted and prevented that?
hero member
Activity: 2562
Merit: 577
People's personal information keeps getting compromise every time when this platform owners fails to have a strong security, why does it feel like a deliberate act, why is it so easy this days to get hacked even though security should be a top priority.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
More people now will be exposed that they own cryptocurrency and might be personally targeted.

What then to say about Ledger and their data leak which compromised about 1 million user emails, and in addition for 9500 people all personal data including full name, address and phone number were stolen. When I see these only 1000 potentially vulnerable clients it seems like a drop in the ocean, of course I'm not happy that it happened - but there are a lot of worse cases that have compromised the security of crypto users.

In addition to hacking databases, it should be taken into account that our data is also subject to trade between companies - they of course always deny it, but if they are discovered they claim to have been hacked...
hero member
Activity: 2702
Merit: 716
Nothing lasts forever
If the hacker was able to get the passwords from the stolen data then it's clear that their security was weak.
Even if someone access the database then the password should not be so easily retrieved.
Developers generally hash the passwords so that it cannot be stolen easily.
This shows how weak security the exchange had. I guess this is why the hacker chose this site for their attack.
Pages:
Jump to: