Blockchain identity platform Fractal ID experienced a data breach on July 14, which was publicly disclosed on its website and X, formerly known as Twitter on July 17.
The Fractal ID data breach has raised concerns about the security of personal data within the Web3 ecosystem, particularly among Fractal ID’s partners, which include prominent platforms like Gnosis Pay, Acala, Polygon ID, and Lukso.
Fractal ID revealed that approximately 0.5% of its user base was affected by the Fractal ID data breach. The company did not specify which of its partners, if any, were directly impacted.
However, users on social media platform X reported receiving emails from the Gnosis Pay team, advising them to be wary of unsolicited communications.
Details of the Fractal ID Data Breach
According to Fractal’s official notification, the data breach occurred on July 14, when a third party gained unauthorized access to an operator’s account and executed an API script to access user data. The Fractal ID cyberattack began at 05:14 AM UTC and was detected and contained by 07:29 AM UTC.
Despite the quick response, the attacker accessed the personal data of approximately 0.5% of Fractal ID’s user base, which includes names, email addresses, wallet addresses, phone numbers, physical addresses, and images of uploaded documents.
“The attacker had access to data from approximately 0.5% of the Fractal ID user base. The potential compromised information includes information contained in Fractal ID user profiles. This data may include names, email addresses, wallet addresses, phone numbers, physical addresses, images and pictures of uploaded documents,” reads the official statement of Fractal ID.
Fractal ID emphasized its commitment to user security and privacy, stating, “We have taken immediate steps to mitigate the impact of this breach and have implemented additional security measures. We have also contacted the pertinent data protection authorities and the cybercrime police division.
“The breach was contained within our environment and did not affect any of our clients’ systems, or their products that use our services. Data breaches can result in the accessed data being shared with third parties or used for commercial purposes. We encourage affected users to be cautious of unsolicited communications requesting additional personal information,” informed Fractal ID.
Fractal also warned users to be wary of unsolicited communications requesting additional personal information.
Reactions and Speculations
The breach has sparked significant concern among users and partners. A Twitter account named “ethereal” expressed frustration, questioning the trust placed in service providers with sensitive personal information.
Web3 developer Paulo Fonseca also shared an image of an email reportedly sent to some Gnosis Pay users, which stated, “At 7:30 PM CET on Monday, July 15, 2024, our KYC service provider Fractal ID notified the Gnosis Pay team of a data breach that occurred on Sunday, July 14, 2024.
Adding to the complexity of the situation, on July 16, Gnosis Pay tweeted about a separate security incident involving an exploit on the Li.Fi/Jumper service. They disabled the widget in their web app and provided steps for users to revoke token approvals.
This exploit reportedly led to a loss of nearly $10 million in cryptocurrency, as reported by The Cyber Express Team. The Li.Fi attack, which occurred on July 16, targeted a vulnerability in Li.Fi’s contract, allows attackers to drain funds from users’ wallets.
Potential Connections and Broader Implications
While there is no confirmed link between the Fractal ID breach and the Li.Fi exploit, the coincidence of timing raises questions. The Cyber Express Team reached out to Gnosis for comment but did not receive a response before publication.
The Fractal ID data breach highlights the vulnerabilities inherent in systems that handle sensitive user data, particularly in the context of cryptocurrency and Web3 applications. Most jurisdictions require cryptocurrency exchanges or payment providers to collect and store Know Your Customer (KYC) information, which includes images of users’ identity documents, names, physical addresses, emails, and other sensitive data.
Supporters of KYC requirements argue that this practice is essential for preventing money laundering and other illicit activities. However, critics contend that the storage of such sensitive data poses significant risks, as evidenced by the Fractal ID breach.
