Cybersecurity researcher Jeremiah Fowler has discovered a non-password-protected database that contained records relating to a cryptocurrency sales platform.
Upon further investigation, Fowler found the database belonged to Fiatusdt.com, which provides an online exchange currency platform for buying and selling cryptocurrency.
The database contained highly sensitive data that was accessible to anyone with an internet connection.
The records included customer names, bank account numbers, purchase and sales records, screenshots of deposits and withdrawals, and more. The records also showed a transaction hash/ID, wallet addresses for transactions, and an estimated 20,000 passports or identity card images. Know Your Customer (KYC) compliance records and identification images were also among the records found.
KYC is a standard process to verify customers, which is required by nearly all payment processors, banks, and other financial institutions.
Fowler identified customer ID documents from all over the world, with a majority from the Asia Pacific Region, including Malaysia, India, Australia, Indonesia, China, Oman, and Singapore. The security of ancillary data accompanying the sale and purchase of cryptocurrency raises a cause for concern, as it could fuel illicit activities and fraud.
The practice of storing website images and sensitive documents all in the same database is a major security vulnerability. Crypto exchanges provide users with services that can include managing user accounts and their private keys.
Most deposits in a traditional bank account are protected at some level, or have state-sponsored insurance plans to protect against loss or theft. However, at present, there are no government regulations to support financial claims of investors if in the event cryptocurrency deposits are stolen from an exchange.
