Fractal ID, an on-chain identity platform, suffered a hack on July 14th, 2024, causing the sensitive data of 0.5% of its users, or 6,300 accounts, to be revealed to the bad actors. Analysis of the incident revealed that the breach occurred due to an operator with admin controls setting an insecure password in 2022. The password was a reused one, breaking operational security best practices and allowing the hacker to grab sensitive user-related data, including wallet addresses, KYC details, and personal residential addresses.
On-chain sleuth ZachXBT revealed the details leading to the hack in a recent X post, “The threat actor shared details about the Fractal ID employee who allegedly had his account compromised who did not have 2FA and reused passwords allowing them to easily gain access to his account and exfiltrate data.”
Fractal ID’s team and systems recognized the attack as it occurred and stopped it in around 29 minutes, preventing the hacker from accessing more user data. It detailed the breach in a report, “On Sunday, July 14th, 2024 at 07:00 UTC, our systems monitoring alerted one of our engineers who was on call. This alert pointed to unusual activity on one of Fractal ID’s backoffices: one specific endpoint, not regularly used in the course of normal operations, was being queried.”
It continued, “This initially appeared to be a regression on the backoffice’s frontend code, but it soon became clear it was instead evidence of an attack, and at 07:29 UTC they shut down this backoffice to thwart it.” Soon after locking the attacker out, Fractal ID disabled every employee account, bringing back access to accounts belonging to senior employees.
Going forward, the on-chain identity platform has taken measures to ensure vulnerabilities arising this way do not occur, as technical measures will prevent employees from sidestepping operational security. Moreover, Fractal ID has contacted authorities to take action against the criminal, improved its security infrastructure and practices, and contacted an external cybersecurity firm.
Finally, it looks to switch to self-custody of its user base’s data rather than relying on a centralized server, which was the root cause of this attack.
