"SIM card swap attack" exposes BlockFi user data, claims funds remain unaffected

The cryptocurrency lending institution BlockFi released an official announcement on Tuesday detailing the process of a customer data leak incident that occurred earlier this week. The report claims that funds were not affected and advises users to enable 2FA authentication and set whitelist addresses for withdrawals.

User Funds Unaffected

According to the BlockFi incident report, leaked user information includes names, email addresses, dates of birth, postal addresses, and activity history. However, user funds, passwords, social security numbers, and tax identification numbers were not accessible to the hackers. The exact cause of the incident was a "SIM card swap attack" on an internal employee's phone number by a third party.

"SIM card swap attack" is also commonly known as SIM card swap fraud. Criminals typically gather specific target's personal information first, then deceive telecom service personnel to transfer the target user's phone number to a SIM card under their control, effectively gaining access to the "user's phone" and often targeting financial accounts and cryptocurrency wallets.

The incident occurred on May 14th, with personal information of nearly half of the retail customers being leaked, while institutional users remained unaffected. BlockFi stated that the attack lasted for about an hour, during which the attackers attempted to withdraw user funds but were unsuccessful, and the unauthorized access to internal systems was promptly terminated.

Expansion This Year

Earlier reports indicated that BlockFi has been strategically expanding this year, with a $30 million strategic financing completed in February, an announcement in mid-March of increased lending rates for Bitcoin and Ethereum (6%, 4.5%), and the hiring of a former American Express executive as the Chief Operating Officer, likely in preparation for the launch of a Bitcoin rewards credit card in the fourth quarter.

Although this data breach incident did not have a significant impact, it provided decentralized finance enthusiasts with an opportunity for criticism. Anthony Sassano, the Product Director of decentralized finance protocol Set Protocol, tweeted:

This is why we build decentralized finance on Ethereum.

This is why we DeFi on #Ethereum pic.twitter.com/MEaia8jvvR

— sassal.eth 🦇🔊🐼 (@sassal0x) May 19, 2020

Meanwhile, Larry Cermak, the Research Director at The Block, pointed out:

BlockFi got lucky. Just as they announced a massive data breach, BitMEX's trading engine went down, and everyone is talking about BitMEX. I'm pretty sure BlockFi has lost the trust of many users.

BlockFi also got incredibly lucky. Just as they announce a big data breach, BitMEX’s trading engine goes down and no one is talking about anything else. Tough break for BlockFi who I’m sure just lost trust of tons of customers

— Larry Cermak 🫡 (@lawmaster) May 19, 2020

BlockFi emphasized that while some user personal information was leaked in a short period, the intruders could not access account or fund-related information. They are continuing to review and improve their systems and security procedures to better respond to similar attack situations in the future.

Related Reading

• 【Special Feature】Cryptocurrency Debit Cards: Swipe and Save, the Trendiest New Financial Model
• 【Special Feature】In the Era of Zero Interest Rates, Cryptocurrency Savings Products Everyone Should Know About