Until recently, cryptocurrency users and traders were generally concerned that their favorite centralized or decentralized platform would one day become the victim of an exploit, and their hard-earned digital assets would be at the mercy of hackers.
The Axie Infinity hack in late March shook the crypto industry and the entire financial world due to the magnitude of the loss, estimated at $600 million at the time. The BNB Chain hack in early October almost equaled the Axie Infinity amount as the attacker almost got away with $570 million. But the quick thinking of the BNB Chain team to halt the chain lessened the loss to $100 million.
Celsius Network Leaked 14,500 Pages Worth of Customer Data
Also in October, crypto lender Celcius Network released to the public domain a 14,500-page document that revealed the personal data of over 600k of its customers. The sensitive data included users’ full names, types and amounts transacted, crypto holdings, deposits, withdrawals, interest earnings, and more.
The Celsius data dump was later revealed to be a standard legal requirement for bankruptcy proceedings in the United States. Court cases of such magnitude require creditors to be identified to determine if their claims to assets of the estate that owes them are legitimate. Celsius had also attempted to keep the personal information of its customers confidential, but the courts only allowed the redaction of home and email addresses.
Another Personal Data Leak Emerged Linking 110k Twitter Accounts to Crypto Addresses
The dust had not yet settled on the Celsius Network data leak when another one was reported on October 13th by crypto Twitter community member @officer_cia. In their Tweet that has since been deleted, they stated that someone had made a database of 110k Twitter accounts linking them to their crypto addresses. Still, a link to the document exists on the internet.
Personal Data Breaches in Crypto Are on The Rise
The almost back-to-back data leaks in October brought to light a new worrying trend of personal data breaches suddenly becoming popular in the crypto and blockchain industries. Quick research reveals that such incidences have been more common than earlier thought.
Past data breaches affecting the security and privacy of crypto users include the following:
- In September 2022, Revolut notified the Lithuanian State Data Protection Inspectorate about an incident involving unauthorized access to the personal data of its 50k customers through phishing
- OpenSea also reported a data breach in June 2022, where an outside contractor tasked with managing its newsletter copied the entire list of customer emails and shared it with an outside party
- Robinhood suffered a similar fate in November 2021 when an unnamed third party obtained a list of email addresses of approximately 5 million of its users and the full names of another group of 2 million
- Crypto hardware company Ledger experienced a data breach in January 2021 when rogue members of Shopify’s support team exposed the records of 20k of its new customers. The records included emails, names, addresses, and phone numbers, leading to some of their clients being targeted in phishing attacks
- In December 2020, a hacker dumped a large amount of data exposing the personal information of over 270k Ledger customers
Centralized Platforms Seem to be the Main Source of Personal Data Leaks
From the list above, it can be loosely concluded that the personal data leaks happening in the crypto-verse have been the result of security breaches on centralized platforms, which often emphasize and implement Know-Your-Customer (KYC) procedures.
Centralized platforms and companies provide a honeypot for malicious hackers and rogue employees tempted by the financial worth of such personal information. Personal data is only as safe as the security measures implemented by the teams at these companies and projects.
Can Personal Data Leaks be Prevented in the Blockchain Industry?
A quick fix to this problem can be for crypto users to utilize decentralized platforms that only require a blockchain address for one to use them. Information on the blockchain can remain relatively anonymous and secure if there is no obvious link to a person owning the corresponding blockchain address(es).
Another alternative is to use crypto mixers such as the now infamous Tornado Cash, which provides a means of obfuscating the transactional trail of Ethereum transactions that is usually public on the blockchain network.
Then again, crypto users in the US are prevented from using Tornado Cash. Others worldwide avoid it entirely as its use opens the doors to additional scrutiny and even blocking of personal transactions by crypto asset service providers bound by law to comply with sanctions and special lists of blocked persons or entities.
Regulators are also looking for ways to reduce or completely eliminate decentralized protocols’ anonymous aspect.
Therefore, options that guarantee anonymity could start disappearing in the future, leaving crypto users with no choice but to transact on centralized platforms that request and store their data.
Social Media Users’ Habits Sometimes Compromise Personal Data
As highlighted by the document linking 110k Twitter users to their blockchain addresses, personal data breaches are not limited to the direct use of centralized crypto asset service providers.
In this instance, someone probably slowly and diligently followed the affected individuals on Twitter and logged their blockchain addresses whenever they shared them freely on social media. In addition, most on the list have their Ethereum Name Service (ENS) name shared on their profiles which can easily be used to figure out their respective blockchain addresses.
This leaves social media users with the challenge of being more vigilant about what personal information they share online. Privacy is also a personal responsibility, given that attackers are known to use social engineering techniques to trick individuals through phishing into revealing sensitive information that can lead to the theft of their identity and funds.
In a nutshell, the almost back-to-back incidences by the Celsius Network and the one briefly exposed by crypto Twitter community member @officer_cia revealed an often ignored security and privacy risk of personal data breaches that have far-reaching impacts on its victims.
Centralized crypto asset providers are often the sources of such breaches. However, the personal habits of crypto and social media users have also led to the unintentional disclosure of such information.
Crypto users are thus responsible for being mindful of their online activities and utilizing tools such as the OMNIA protocol that increase their off-chain privacy. OMNIA’s solution reduces the chances of malicious actors gaining access to personal metadata generated by users accessing the blockchain. The OMNIA protocol can be accessed on app.omniatech.io.