Crypto lending site may have leaked sensitive user data

Getting your Trinity Audio player ready...

A cryptocurrency lending platform has been called out for a possible breach that saw it lose the private data of its customers. According to security researchers with vpnMentor, YouHodler has exposed the data of thousands of its users after its database info was leaked.

In a blog post about the security failure, vpnMentor, which typically covers virtual private networks (VPN) and different VPN applications, says, “The breach exposed a huge amount of data. There were over 86 million records that included users’ full names, email addresses, addresses, phone numbers, birthdays, credit card numbers, CVV numbers, full bank details, and in some cases crypto wallet addresses. The implications of this breach are extensive.”

The company contacted YouHodler on July 22 to inform them of the security flaw. The lending platform responded a day later, acknowledging the issue and asserting that it had taken proper measures to close the breach.

What stands out in the egregious lack of security protocols is that the information was all stored in unencrypted files. Given the fact that credit card numbers and their associated CVV (card verification value) — the three- or four-digit security code associated with the card — were easily accessible doesn’t paint a pretty picture for how the company may be treating assets it holds for users who take out loans. The company has reportedly processed over $10 million in transactions from 3,500 customers since it launched and has customers in over 35 countries, including the U.S., France, the U.K., Canada and Russia.

vpnMentor continues, “The nature of the data that leaked from YouHodler’s database could have serious consequences. Any platform that stores credit card data should be taking several security precautions. If YouHodler only stored the BIN and last four digits of user credit cards, there wouldn’t be as much of an impact in this regard.

“However, with full, unencrypted credit card numbers, CVV numbers, expiration dates, and cardholder names, a bad actor would have complete control over a user’s credit card. Furthermore, having storing CVV numbers is a violation of the PCI regulations imposed by credit card companies. This could be used to run up fraudulent charges and as a means of authentication for other accounts that belong to the user.”

The breach was discovered after company researchers began working on a web-mapping project that involved identifying ports associated known IP blocks. After identifying the blocks, the researchers try to find holes that allow access to a database and, in the case of YouHodler, a huge hole was found.