Cryptocurrency loans platform YouHodler left millions of records containing private financial data from thousands of users exposed online, researchers found.
In a blog post, vpnMentor said its research team, led by Noam Rotem and Ran Locar, discovered a database leak as part of their web-mapping project and traced it back to YouHodler.
The data, they found, exposed comes to more then 86 million records that includes users’ names, email addresses, home addresses, phone numbers and birthdays. It gets worse. Credit card numbers, CVV numbers, bank details and crypto wallet addresses were also exposed in the data.
"The implications of this breach are extensive," said the firm.
VpnMentor said it had contacted YouHodler on July 22, which responded a day later and fixed the issue.
YouHodler's website indicates that it has served over 3,500 customers and provided over $10 million in loans.
In its own blog post on the breach, YouHodler claimed the exposed files "did not contain any sensitive information and no one was affected."
The first part of that statement flies in the face of the researchers' findings, however. Rotem and Locar provided screengrabs of the data (with portions hidden to conceal user data) that seem to back up the claim that they were able to find CCVs (top image) and card numbers (bottom image) in the logs.
The team said "The first example shows that we still found all of the details needed to take full control of the card – including CVV numbers."
They added that, while the card holder’s name isn’t displayed in either of these logs, "numerous other records stored both names and credit card numbers together."
The researchers further found data allowing them to link users' names to bitcoin wallet addresses.
According to vpnMentor:
YouHodler said that it "understands user data is potentially at risk of being compromised from outside the platform," continuing:
It seems its "best" wasn't good enough in this case.
Data image via Shutterstock; screengrabs courtesy of vpnMentor