Web3 KYC vendor Fractal ID loses over 50k users’ passport info in data breach
Fractal ID data breach compromises sensitive user information for 0.5% of its 1 million users.
Fractal ID, a digital identity verification service provider, disclosed a data breach affecting approximately 0.5% of its user base—according to the company’s website and X profile, this could be over 50,000 users.
The compromised API includes sensitive user information such as names, email addresses, wallet addresses, phone numbers, physical addresses, and images of uploaded KYC documents.
Fractal is used by web3 projects, including Polygon ID, Ripple, XRP Ledger, Avalanche, Gnosis, Near, Aurora, Acala, Polymath, BNB Chain, Lukso, Aleph Zero, and Arbitrum Foundation.
The company reported that the incident occurred on July 14, 2024, when an unauthorized third party accessed an operator’s account and executed an API script to extract users’ personal information. The breach began at 05:14 A.M. UTC and lasted just over two hours.
The company stated it has taken immediate action to mitigate the breach’s impact and implemented additional security measures. Fractal ID also reported the incident to relevant data protection authorities and the cybercrime police division.
In response to the breach, Fractal ID emphasized that the incident was contained within their environment and did not affect their clients’ systems or products utilizing their services. However, the company advised affected users to be cautious of unsolicited communications requesting personal information, as breached data could be shared with third parties or used for commercial purposes.
Fractal ID’s approach to addressing the breach involved first contacting affected users, followed by impacted clients, before making a public announcement.
The incident has drawn criticism from some members of the crypto community. Blockchain investigator ZachXBT questioned the company’s ability to secure user data and suggested that teams using Fractal ID’s product should consider alternatives.
Potential impact of the breach
The company’s website claims its product removes the “risks of centralized platforms,” which raises questions about the nature of Fractal’s decentralization. Fractal states its mission is rooted in “true ownership of data,”
“We believe that Decentralized Identity is the key to revolutionizing how individuals engage with the web, enabling true ownership of data and the power to selectively share it.”
However, a review of the company’s developer documentation appears to show that all user information is accessible via a single API call. Once a user authorizes an application to access their data, it does not seem that this permission is required again for subsequent data requests.
Thus, it’s hard to see how the user has sovereignty and ownership of the data. A centralized endpoint was accessible to an attacker, leading to the loss of the most sensitive user data without any messages signed by users’ private keys.
Thousands of users’ identity information, such as passport and driving license scans, were stolen in the breach without being “selectively shared” by the owners. The scope of the damage this breach could cause is extensive.
The most sensitive stolen data could be used to create fraudulent accounts, seed phishing attacks, attempt to breach existing accounts, or even broader identity theft.
With access to names, email addresses, and wallet addresses, bad actors might craft convincing impersonation schemes or launch sophisticated social engineering attacks.
Physical addresses could be used for real-world stalking, harassment, or worse, with reports of home invasions targeting crypto professionals on the rise. Compromised wallet addresses might be used to track transaction histories or target high-value accounts.
While the ‘decentralized’ aspect of Fractal’s user data remains in question, one clear web3 element of the company, the price of its token (FCL), has been marginally affected, down 2.9%. With less than $3,000 in 24-hour trading volume and a market cap of $144,037, the token has fallen 43% year-to-date.
Users affected by this breach should remain vigilant, monitor their accounts closely, and consider updating their security measures across various online services to mitigate potential risks.