Binance data breach results in KYC data compromise

Getting your Trinity Audio player ready...

Know-Your-Customer (KYC) data, including personal photos to verify identities, of thousands of Binance users may have been sent out into the wild. The release came after a reported hack of the cryptocurrency exchange’s servers and a subsequent ransom attempt that Binance didn’t pay. While the hack has not been confirmed, it’s plausible, given the fact that the exchange was hacked a few months ago.

A Twitter user posted Tuesday about the breach, stating, “BREAKING; Thousands of #Binance users KYC data has been hacked and all ID’s are posted in a telegram group chat…. @cz_binance needs to make binance more secure because this, along with the 7000 BTC “hack” a few months back, aren’t making binance look [too] trustworthy!”

The Telegram group mentioned provides examples through pictures of individuals holding various types of identification – passports, driver’s license and more – in order to verify their identity with the exchange. The pictures also show the individuals holding a “Binance” sign and several have a date of February 24, 2018.

Binance accuses the Telegram channel and Twitter thread of offering nothing more than FUD (fear, uncertainty and doubt) and that no data breach had taken place. In a blog post, it states, “At the present time, no evidence has been supplied that indicates any KYC images have been obtained from Binance, as these images do not contain the digital watermark imprinted by our system.”

However, a couple of issues exist that might lend credibility to the story that the pictures are real. Binance has acknowledged that someone tried to force the exchange to pay 300 BTC ($3.5 million at today’s price) in return for not releasing 10,000 photos. The exchange refused and it is after this that the pictures began to appear.

To make the story more intriguing, Binance acknowledges that it didn’t have control over the KYC data when the pictures were allegedly taken. It states, “On initial review of the images made public, they all appear to be dated from February of 2018, at which time Binance had contracted a third-party vendor for KYC verification in order to handle the high volume of requests at that time. Currently, we are investigating with the third-party vendor for more information.”

That means that Binance cannot refute the legitimacy of the data with 100% accuracy. The issue with the lack of watermark can easily be attributed to the copies of the KYC pictures being taken before the identifying feature had been applied. The pictures would have to be uploaded to the site and stored before the watermark is embedded into the file.

Add to this list the fact that Binance has already been called out for lax KYC security as recently as last month, and serious doubts have to be raised. The exchange has reportedly been so remiss in its duties that it has knowingly allowed hackers to use the platform to launder money.