This week 3 Bitcoin exchanges were hit by data leaks: Unchained Capital, Swan Bitcoin and BlockFi. After explaining what happened, which data was leaked and how, I give you three simple steps to protect your Bitcoin against attacks resulting from these data leaks.
TIMESTAMPS
0:00 Introduction
0:44 Data leak
1:40 Unchained Capital leak
2:48 Swan Bitcoin & BlockFi
3:56 My thoughts
4:31 Coinbase exploit
6:00 Step 1: Data security
7:15 Step 2: Exchange security
10:57 Step 3: Wallet security
I'm excited to launch my YouTube channel where I will show how we are creating more freedom in our life with Bitcoin. Please subscribe to the channel if you want to follow our journey and learn about Bitcoin.
FOLLOW ME
Twitter: https://twitter.com/dldasilvarosa
Clubhouse: https://clubhouse.com/@dasilvarosa
Instagram: https://instagram.com/davidforfreedom
Facebook: https://www.facebook.com/davidforfreedom
DESCRIPTION
Unchained Capital, Swan Bitcoin and BlockFi were using third parties to send marketing emails to prospective customers. These email marketing services were successfully attacked by cyber criminals, which got away with valuable customer information that they can later use to execute phishing attacks to steal bitcoin. Just to be clear: None of the 3 exchanges were hacked directly, no accounts were accessed nor was any Bitcoin stolen.
The first company in this series of attacks is Unchained Capital. Unchained used a third party called ActiveCampaign to store a part of its customer data. As ActiveCampaign was used to send marketing emails, it stored customer names, email addresses, usernames, account status and IP addresses.
Swan Bitcoin and BlockFi use a third party called HubSpot to store customer data for the purpose of sending marketing emails. HubSpot was affected by a data leak that compromised customer data for Swan Bitcoin as well as BlockFi. In the case of both exchanges this includes customer names, email addresses and phone numbers. For Swan Bitcoin the account type and company name of customers were also compromised.
Now, I’m quite disappointed to see that even reputable Bitcoin companies haven’t learned from past mistakes, whether it be their own mistakes or those of other companies in the industry. During the now infamous Ledger hack In 2020, a million email addresses were leaked because of a misconfigured access key to an email marketing service provider. I would have hoped to see all these companies stop giving customer data to external service providers and use a sovereign solution instead that keeps the data internally. I hope we will see improvements in that area after this week’s data breaches.
While looking into these three leaks a FOURTH data breach caught my attention. This time one that occurred previously at Coinbase. In episode 112 of the Darknet Diaries podcast, a young hacker called “Drew” explains how the Ledger hack was the most lucrative database leak he’s ever come across. The database was combined with other data leaks to figure out the email and password combinations of users of various exchanges. Through sim-swaps the attackers could bypass the 2 factor authentication that’s supposed to protect users.
Now, in order to know which accounts to target, hackers used an exploit on Coinbase that allowed them to know customers’ Coinbase account balances without even logging into the exchange! All they needed were the email and password combination and they could find out who were the richest Coinbase users among their list of potential victims. They could then carry out their sim swap on the most lucrative targets. I found this exploit extremely worrying. It clearly shows that even if a data breach does not include very sensitive information it can still be used and crossed with other breaches to steal funds in the end. Also the fact that we’re still finding out the details of this hack that took place in 2021 is quite a bad look for Coinbase. They have not been transparent about this situation, claiming there was a flaw in their SMS account recovery process. Now it turns out attackers could see how much money Coinbase customers had in their account. Seriously, this doesn’t look good for Coinbase.
Security tips. The easiest data to protect is data you never shared. Use P2P exchanges like Hodl Hodl, Bisq, LocalCryptos, Local Coin Swap. These are a bit more expensive, but easy to use and private. If you're using regulated exchanges, limit how many you use.
Get a hardware wallet if you have Bitcoin on an exchange. Protect your exchange access: unique email address, unique password, strong 2FA. Use a different email address for Bitcoin exchanges, use Fastmail for convenience. Use a password manager like Lastpass or 1Password. 2FA: Google Authenticator, separate phone, back up the codes
Criminals will try to trigger an emotional response to make you give up your seed words. Don't do anything! When in doubt: contact the exchange.
Store seed words in a secure, hidden location
TIMESTAMPS
0:00 Introduction
0:44 Data leak
1:40 Unchained Capital leak
2:48 Swan Bitcoin & BlockFi
3:56 My thoughts
4:31 Coinbase exploit
6:00 Step 1: Data security
7:15 Step 2: Exchange security
10:57 Step 3: Wallet security
I'm excited to launch my YouTube channel where I will show how we are creating more freedom in our life with Bitcoin. Please subscribe to the channel if you want to follow our journey and learn about Bitcoin.
FOLLOW ME
Twitter: https://twitter.com/dldasilvarosa
Clubhouse: https://clubhouse.com/@dasilvarosa
Instagram: https://instagram.com/davidforfreedom
Facebook: https://www.facebook.com/davidforfreedom
DESCRIPTION
Unchained Capital, Swan Bitcoin and BlockFi were using third parties to send marketing emails to prospective customers. These email marketing services were successfully attacked by cyber criminals, which got away with valuable customer information that they can later use to execute phishing attacks to steal bitcoin. Just to be clear: None of the 3 exchanges were hacked directly, no accounts were accessed nor was any Bitcoin stolen.
The first company in this series of attacks is Unchained Capital. Unchained used a third party called ActiveCampaign to store a part of its customer data. As ActiveCampaign was used to send marketing emails, it stored customer names, email addresses, usernames, account status and IP addresses.
Swan Bitcoin and BlockFi use a third party called HubSpot to store customer data for the purpose of sending marketing emails. HubSpot was affected by a data leak that compromised customer data for Swan Bitcoin as well as BlockFi. In the case of both exchanges this includes customer names, email addresses and phone numbers. For Swan Bitcoin the account type and company name of customers were also compromised.
Now, I’m quite disappointed to see that even reputable Bitcoin companies haven’t learned from past mistakes, whether it be their own mistakes or those of other companies in the industry. During the now infamous Ledger hack In 2020, a million email addresses were leaked because of a misconfigured access key to an email marketing service provider. I would have hoped to see all these companies stop giving customer data to external service providers and use a sovereign solution instead that keeps the data internally. I hope we will see improvements in that area after this week’s data breaches.
While looking into these three leaks a FOURTH data breach caught my attention. This time one that occurred previously at Coinbase. In episode 112 of the Darknet Diaries podcast, a young hacker called “Drew” explains how the Ledger hack was the most lucrative database leak he’s ever come across. The database was combined with other data leaks to figure out the email and password combinations of users of various exchanges. Through sim-swaps the attackers could bypass the 2 factor authentication that’s supposed to protect users.
Now, in order to know which accounts to target, hackers used an exploit on Coinbase that allowed them to know customers’ Coinbase account balances without even logging into the exchange! All they needed were the email and password combination and they could find out who were the richest Coinbase users among their list of potential victims. They could then carry out their sim swap on the most lucrative targets. I found this exploit extremely worrying. It clearly shows that even if a data breach does not include very sensitive information it can still be used and crossed with other breaches to steal funds in the end. Also the fact that we’re still finding out the details of this hack that took place in 2021 is quite a bad look for Coinbase. They have not been transparent about this situation, claiming there was a flaw in their SMS account recovery process. Now it turns out attackers could see how much money Coinbase customers had in their account. Seriously, this doesn’t look good for Coinbase.
Security tips. The easiest data to protect is data you never shared. Use P2P exchanges like Hodl Hodl, Bisq, LocalCryptos, Local Coin Swap. These are a bit more expensive, but easy to use and private. If you're using regulated exchanges, limit how many you use.
Get a hardware wallet if you have Bitcoin on an exchange. Protect your exchange access: unique email address, unique password, strong 2FA. Use a different email address for Bitcoin exchanges, use Fastmail for convenience. Use a password manager like Lastpass or 1Password. 2FA: Google Authenticator, separate phone, back up the codes
Criminals will try to trigger an emotional response to make you give up your seed words. Don't do anything! When in doubt: contact the exchange.
Store seed words in a secure, hidden location
