BuyUcoin Cryptocurrency User Data Allegedly Affecting Lakhs of People Leaked on the Dark Web

Banking and KYC information of lakhs of users of BuyUcoin, which trades bitcoin and other cryptocurrencies, has allegedly been leaked on the dark web. The details included the names, email addresses, mobile numbers, order information, and deposit history of users, according to a security researcher. The data dump available on the dark Web also appears to have bank details including bank names and account numbers, as well as know-your-customer (KYC) information that includes PAN and passport numbers of the people using BuyUcoin platform. The company has however denied the leak and said the surfaced data dump was of some dummy accounts.

Cybersecurity researcher Rajshekhar Rajaharia told Gadgets 360 that he found the data dump on the dark Web earlier this week. It included the details of more than three lakh BuyUcoin users, he said. The Delhi-NCR-based company claims to have over 3.5 lakh users in total.

The researcher said BuyUcoin appeared to have faced a data breach in September last year that resulted in the latest leak on the dark Web. Alongside user details, the data dump included a folder with admin credentials that could be used to access the server, he noted.

Rajaharia stated that the dump was posted on the dark Web by Shiny Hunters, the hacker group that allegedly leaked the data of BigBasket and JusPay in the recent past.

The leaked data could be used by bad actors to run fraudulent attacks against individuals, the researcher said. He also added that the data could also enable hackers to understand the credit score of the victims using transaction details.

BuyUcoin CEO and Co-founder Shivam Thakral denied the leak. “We would like to reiterate the fact that only dummy data of 200 entries was impacted which was immediately recovered and secured by our automated security systems,” he told Gadgets 360 over email.

However this might not be correct, as a person whose data was revealed in the data dump came forward to Gadgets 360 and said that their bank and KYC details were revealed.

“What if a bad actor would use any of the leaked user accounts in any illegal crypto activity?” asked Rajaharia while countering the company's rejection of the data leak. “Who will be responsible in such a case? Crypto data leak may become a very serious issue as the data could be used in illegal activities in many ways in such cases. It's the company's responsibility to inform affected users and protect data instead of making any false claims.”

Thakral however denied the leak again, and responded by saying that it was just a hoax to defame the company.

“These people who reached out to journalists are friends of hackers, they are just showing our email IDs are there,” he said. “This doesn't make sense to me.” But a part of the data dump, as seen by Gadgets 360, contained these details for a huge number of users, so it appears to be a real dump, and hopefully the company is investigating the matter.

Update, 5PM, Jan 22: In a mailed statement BuyUcoin noted: “This incident remains an ongoing investigation. We will keep all the stakeholders updated about the proceedings and conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security.” You can see the full statement below.

No bitcoins or any other cryptocurrencies appear to have been stolen in the leak. However, in the past, there have been instances of cryptocurrency exchanges and wallets getting hacked and bitcoins being stolen.

In April 2020, a hacker exploited a security flaw in Bisq bitcoin exchange and stole more than $250,000 (roughly Rs. 1.82 crores) worth of cryptocurrency from users. Binance, one of the leading cryptocurrency exchange platforms, also saw a data breach in May 2019 in which hackers were able to steal over $40 million (roughly Rs. 290 crores).

Regarding the recent media reports, we are thoroughly investigating each and every aspect of the report about the malicious and unlawful cybercrime activities by foreign entities in mid-2020. Every BuyUcoin user with active portfolio has 3 factor authentication enabled trading accounts. All our user's portfolio assets are safe within a secure and encrypted environment. 95% of user's funds are kept in cold storage which are inaccessible to any server breach.

BuyUcoin platform has following features to ensure that customer account remains safe and secure from any kind of cyberattack:

1. Strong password and account OTP verification.

2. Google 2 Factor Authentication (enabled from security section under customer's profile)

3. Trading Pin (Under the security section, customers can enable trading pin a six-digit code for transaction verification)

4. Also, as an extra security step, every transaction requires an OTP from customer's email.

However, this incident remains an ongoing investigation. We will keep all the stakeholders updated about the proceedings and conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security. BuyUcoin stands in solidarity with other companies who have faced such unlawful cyber-attacks recently. There is an urgent need to revise the current cybersecurity policy to counter such attacks. BuyUcoin is more than willing to work with industry peers and other relevant stakeholders to protect the financial technology ecosystem.

What will be the most exciting tech launch of 2021? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.