Blockchain identity platform Fractal ID suffered a data breach on July 14, according to a notice published on Fractal’s website on July 17. Partners of the platform include the payment system Gnosis Pay, decentralized finance app Acala, the proof of personhood project Polygon ID, the social media platform Lukso, and other Web3 applications.
In its statement, Fractal did not identify which partners were affected by the breach, if any. Some users on X reported receiving emails from the Gnosis Pay team alerting of the breach and warning them to “be cautious of unsolicited communications.”
Fractal stated that the breach only affected “approximately 0.5% of the Fractal ID user base.”
According to the notice, “A third party external to Fractal ID gained unauthorized access to an operator’s account and ran an API script that started at 05:14 am UTC to access users’ personal data.” Once the team noticed the breach, they “took action to log the attacker off the system by 07:29 AM UTC.” Thus, the attack seemingly took place over a period of two hours and 14 minutes.
The notice states that only a limited number of accounts had data stored in this particular operator’s account, amounting to just 0.5% of Fractal's total user base. For those particular users, the data that was potentially leaked “may include names, email addresses, wallet addresses, phone numbers, physical addresses, images and pictures of uploaded documents.”
Fractal claimed that the breach did not affect clients' systems or products, as it was “contained within [Fractal’s] environment.” Even so, affected users should be “cautious of unsolicited communications requesting additional personal information,” the notice stated.
Web3 developer Paulo Fonseca posted an image of an email reportedly sent to some GnosisPay users. “At 7:30 PM CET Monday, 15th July 2024, our Know Your Customer (KYC) service provider Fractal ID made the Gnosis Pay team aware that it had suffered a data breach on Sunday 14th July 2024,” the email stated.
The recipient of the email’s information “was not part of the data that was accessed,” it stated. Even so, it warned the user to “be cautious of unsolicited communications requesting additional personal information.”
Cointelegraph contacted Gnosis for comment but did not receive a response by the time of publication.
Related: Chainlink’s CCIP protocol and Automation now live on Gnosis
Most jurisdictions require cryptocurrency exchanges or payment providers to record and store know-your-customer (KYC) information on every customer they serve. This information can include images of users' identity documents, names, physical addresses, emails, and other sensitive data. Supporters of KYC requirements claim that this practice is necessary to prevent money laundering, while critics claim that it poses a risk of personal data being leaked.
On June 27, crypto ID provider Autix10 announced that its administration credentials had been leaked online. But in this case, the attacker appeared to have not obtained any actual customer data. On July 3, the 2-factor authentication app Authy also suffered a data breach, resulting in the phone numbers of users being leaked.