Hackers who obtained personal data on users of Canadian cryptocurrency exchange Coinsquare say they plan to use the information to perform so-called SIM swapping attacks, according to one of the hackers.
The news shows hackers’ continued interest in trying to leverage security issues with telecom-based forms of authentication. In a SIM swapping attack, a hacker takes control of a target’s phone number, which then gives them the ability to request password resets for some websites or a victim’s two-factor authentication code. Often, SIM swappers will use these techniques to steal cryptocurrency. The breach also signals the continued risk of insider access, with Coinsquare telling Motherboard a former employee was responsible for stealing the data.
“The original intent was to sell it [the data] but we figured we would make more money by SIM swapping the accounts,” a pseudonymous hacker who provided the Coinsquare data to Motherboard said in an online chat.
Do you know anything else about SIM swapping? We’d love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Coinsquare lets users buy and sell Bitcoin, Ethereum, and other cryptocurrencies. On its website, it describes itself as “the most secure trading platform.”
The hacker added, “I set out to embarrass the company for claiming they [were] the most secure Canadian exchange and obviously that is a lie.”
The hacker provided Motherboard with a version of the data stolen from Coinsquare. It includes just over 5,000 rows of users’ email addresses, phone numbers, and in some cases physical addresses. The data also contains a column titled “total $ funded first 6 months,” which could represent the dollar amount put into a user’s Coinsquare account in that period, and whether Coinsquare marks the user as a “high value client.” The data does not appear to include passwords.
Motherboard verified the data by attempting to make accounts on Coinsquare with a random selection of email addresses in the data. This was not possible because the addresses were already linked to Coinsquare accounts, strongly suggesting that the data does relate to Coinsquare users. Several of the tested addresses were also not publicly available via Google searches, suggesting that this is largely private information.
Motherboard also contacted a number of people listed in the database. Three responded confirming they are Coinsquare users, and two confirmed their phone numbers.
Coinsquare said the data came not from a hack of its systems, but rather a now former employee stole the information.
“The data was obtained as the result of employee theft of information contained within a client relationship database used for prospecting,” Stacey Hoisak, Coinsquare’s general counsel, told Motherboard in an email.
Hoisak added that the company became aware of the issue about a year ago, and notified law enforcement, data protection authorities, and all known impacted users at the time. She suggested the company was not originally aware of the full extent of the breach, however; after Motherboard provided a limited set of screenshots of the data to Coinsquare so they could provide an informed statement, Hoisak characterized some of the information as “additional User names.”
“Since we were made aware of this issue last year, Coinsquare has replaced internal sales management systems, re-written data management policy and upgraded its internal controls, and we are not aware of any breach or additional employee thefts since that time,” she continued.
All sorts of tech companies face issues from employees or contractors stealing or otherwise abusing access to user data. Last month, Motherboard reported how a hacker bribed a worker at video game giant Roblox to access and manipulate user data.
Subscribe to our cybersecurity podcast, CYBER.