Fractal ID, a decentralized identity startup, experienced a data breach affecting 6,300 users. This breach traces back to a 2022 hack due to an employee reusing a password, leading to significant security measures and legal action.
Points
- The data breach affected approximately 6,300 users.
- The breach was caused by a compromised employee account from a 2022 hack.
- Fractal ID has implemented stricter security measures and involved law enforcement.
Decentralized identity startup Fractal ID recently published a postmortem detailing a data breach on July 14, which affected about 6,300 users. The breach was traced back to a 2022 hack where an employee reused a password, compromising the security of the system.
Details of the Breach: The compromised employee had administrator-level access, allowing the hacker to sidestep internal data privacy systems. The breach included names, email addresses, phone numbers, wallet addresses, physical addresses, and images of uploaded documents. The attacker was able to infiltrate the system for 29 minutes before being shut out by an automated alert system.
Initial Hack and Response: The initial compromise occurred in September 2022 due to the Raccoon ‘infostealer’ malware. The employee failed to change their password, enabling the hacker to gain access. Fractal ID has since taken measures to prevent such incidents, including restricting account access and blocking login attempts from unknown IP addresses.
Legal and Security Measures: Fractal ID declined to pay the ransom demanded by the attacker and instead contacted Berlin’s cybercrime law enforcement. They have notified affected users and implemented stricter security protocols to prevent future breaches.
Explanation
- Breach Impact: The breach affected 6,300 users, exposing sensitive information due to a reused password from a 2022 hack.
- Security Response: Fractal ID has implemented enhanced security measures, including restricted access and IP blocking, to prevent future incidents.
- Legal Action: The company has involved law enforcement and declined to negotiate with the attacker, emphasizing their commitment to security and transparency.