One of the world’s largest cryptocurrency exchanges has fallen victim to hackers, who were able to use information they stole to plunder users’ accounts.
According to local media reports, Bithumb informed the Korea Internet & Security Agency (KISA) late last week that the personal information on approximately 32,000 customers was compromised – although passwords were not taken.
As Brave New Coin describes, a hacker broke into the home PC of an employee of South Korea’s largest bitcoin rather than the exchange’s internal network.
Questions obviously should be asked as to how such sensitive information was being stored on a worker’s home computer.
Having hacked into the computer, the criminal was able to grab personal information of thousands of users, including customers’ names, mobile phone numbers, and email addresses. Some victims are then thought to have been targeted by scammers who phoned them up, posing as employees of Bithumb:
One victim claims that the attacker posed as an executive at Bithumb and phoned to say that he was “suspicious of a foreign hacking transaction,” and instructed his victim to give him an “identification number written on the letter from Bithumb.” The number in question was the victim’s One-Time Password, (OTP) which granted the attacker immediate access to ten million won, worth about US $8,700.
Of course, we’ve all seen plenty of scams like this in the past – where fraudsters ring you at home claiming to work for a bank or organisation with which you have a relationship. Typically fraudsters will lull you into a false sense of security by quoting your account number, confirming your physical address, or other information which you may imagine that only the company would know (and that hopefully they would have kept under close guard) in order to extract more details.
That’s why it’s so important to put the onus on organisations who phone you up at home to prove their identity, before you share any additional information with them. One good technique can be to ring the company’s support team back (although be careful not to trust the phone number that the person on the other end of the call is offering you!) or to log into your account to see if you have any messages waiting.
A security and privacy-conscious company will certainly respect you for being cautious about who you share your sensitive account details with. And it should go without saying that you should never share your password with anyone else, in particular not someone who has rung you up out-of-the-blue claiming to be from the company.
Bithumb has apologised for the security breach, and the site is offering a lump sum payment of 100,000 South Korean Won (equivalent to about US $87) to any customer confirmed to have had their personal information leaked on July 5th.
It is reported that some of the compromised Bithumb users are planning to file a class action lawsuit in response to the hack.