Data breach at Indian exchange BuyUCoin

Data breach at Indian exchange BuyUCoin: 325,000 users‘ data compromised

Hackers have managed to get their hands on BuyUCoin users‘ personal data, but the funds remain safe in cold wallets

A data breach suffered by Indian exchange BuyUCoin has compromised the personal data of more than 325,000 people.

According to a report by Inc42, the hacker group „ShinyHunters“ made public a database containing names, phone numbers, email addresses, social security numbers, and bank account like Bitcoin Lifestyle details of over 325,000 BuyUCoin users. However, a subsequent Bleeping Computer document shows that the leaked data may contain the information of „only“ 161,487 BuyUCoin members.

Rajshekhar Rajaharia, a cybersecurity researcher, posted screenshots of the data in question on Twitter, which appears to include a large amount of information:

„Do you trade cryptocurrencies? I am also one of the users affected by the @buyucoin data breach. The data includes names, emails, bank account and mobile phone numbers, wallet details etc. Again, the affected users were not notified by the company.“

Trading in #cryptocurrency? 3.5 Lakh Users data including me leaked From @buyucoin. The leaked data contains Name, Email, Mobile, bank account numbers, PAN Number, Wallets Details etc. Again didn’t informed to affected users by company.

Story –
– Rajshekhar Rajaharia (@rajaharia) January 21, 2021

BuyUCoin had initially claimed that „not a single customer was affected“ by the data breach, and had classified the reports as „rumours“.

The company later released a statement, noting that it was „thoroughly investigating every aspect of the report regarding malicious and illegal cybercrime activity by foreign entities.“ The exchange added that all user funds are „safe and sound within a secure environment,“ as 95 percent of them are in cold storage.

Even if hackers have not managed to get their hands on the funds, there are still potential risks for BuyUCoin users: think of what happened to Ledger, a hardware wallet company. The personal data of Ledger users was compromised in a data breach between June and July 2020, which affected 272,853 people. Since then, some users have reported receiving threatening emails demanding the payment of cryptocurrency ransoms.

Some BuyUCoin users, worried for their safety, have expressed anger and concern following the publication of the reports. Rajaharia, who is also a user of the platform, wonders:

„What would happen if someone decides to use my account for some illegal activity?“.

The researcher also branded the exchange’s initial response as „irresponsible“.