Fractal ID, an on-chain identity platform, recently experienced a data breach that exposed the sensitive information of 0.5% of its users, totaling 6,300 accounts. The breach, which occurred on July 14th, 2024, was the result of an operator using an insecure password that was set back in 2022. This password, which was reused and against operational security best practices, allowed a hacker to access user data such as wallet addresses, KYC details, and personal residential addresses.
The details leading to the hack were uncovered by on-chain sleuth ZachXBT, who shared information about a Fractal ID employee whose account was compromised due to a lack of 2FA and password reuse. This made it easy for the hacker to infiltrate the account and extract data.
Fortunately, Fractal ID’s team and systems detected the attack in progress and were able to stop it within 29 minutes, preventing the hacker from accessing more user data. The company promptly issued a report detailing the breach, explaining that unusual activity was detected in one of its backoffices, leading to the shutdown of the system to prevent further unauthorized access.
In response to the breach, Fractal ID has implemented various security measures to prevent similar incidents in the future. These measures include technical safeguards to prevent employees from bypassing operational security, contacting authorities to pursue legal action against the perpetrator, enhancing security infrastructure and practices, and engaging an external cybersecurity firm for additional support.
Furthermore, Fractal ID has decided to transition to self-custody of user data instead of relying on a centralized server, which was the underlying cause of the breach. This shift aims to provide greater security and control over user information, reducing the risk of future breaches.
By taking these proactive steps and learning from this incident, Fractal ID is working to strengthen its security posture and protect user data from potential threats. The company remains committed to safeguarding user information and maintaining the trust and confidence of its user base in the wake of this breach.