Users of Indian crypto exchange BuyUCoin have been reportedly affected by a personal data breach of more than 325,000 people.
According to a report by Indian news outlet Inc42, a hacking group called ShinyHunters leaked a database of the names, phone numbers, email addresses, tax identification numbers and bank account information of more than 325,000 BuyUCoin users. A later report from Bleeping Computer shows the leaked data may only contain information from 161,487 BuyUCoin members.
Cybersecurity researcher Rajshekhar Rajaharia Posted screenshots of the leaked data – recorded through September 2020 – to Twitter last week, including trading activity and BuyUCoin referral codes.
Trade in #cryptocurrency? 3.5 Lakh user data, including me, leaked from @Buyucoin. The leaked data includes name, email, mobile, bank account numbers, PAN number, wallet details etc. Again not informed by the company to the affected users.
Story – https://t.co/rUrfSQ96Z1#InfoSec pic.twitter.com/1xFOtLcd8F
– Rajshekhar Rajaharia (@rajaharia) January 21, 2021
BuyUCoin initially claimed that “not even a single customer was affected” by the data breach and referred to the reports as “rumors,” but has since released a statement stating that it “thoroughly investigated every aspect of the report on malicious and unlawful cybercrime by foreign entities”. The exchange added that all user funds were “safe and sound in a secure environment” as 95% was kept in cold storage.
While no funds have reportedly been affected by the exchange’s breach, there are still potential risks to BuyUCoin users. Like the exchange’s customers, Ledger users compromised their personal information during a data breach in June and July 2020, affecting 272,853 people ordering hardware wallets. Some users have since reported receiving threatening emails demanding that a crypto ransom be paid within 24 hours, otherwise they will face “horrific” consequences.
While real-world attacks to steal crypto are much rarer than hacks or scams, they do occur. Some BuyUCoin users expressed frustration with the breach reports, whether they were concerned about their data or their physical well-being.
“What if someone has used my account for illegal activities?” said Rajaharia – also a BuyUCoin user – in a follow-up tweet, calling the exchange’s initial response “irresponsible”.
Cointelegraph reached out to BuyUCoin CEO Shivam Thakral for comment, but received no response at the time of publication.