Crypto Loans Firm Left Thousands of Users' Financial Data Exposed

Crypto loans platform YouHodler left a database with millions of logs containing users' private financial data unprotected, researchers found.

AccessTimeIconJul 25, 2019 at 11:40 a.m. UTC
Updated Sep 13, 2021 at 11:14 a.m. UTC
Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.
Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.

Cryptocurrency loans platform YouHodler left millions of records containing private financial data from thousands of users exposed online, researchers found.

In a blog post, vpnMentor said its research team, led by Noam Rotem and Ran Locar, discovered a database leak as part of their web-mapping project and traced it back to YouHodler.

The data, they found, exposed comes to more then 86 million records that includes users’ names, email addresses, home addresses, phone numbers and birthdays. It gets worse. Credit card numbers, CVV numbers, bank details and crypto wallet addresses were also exposed in the data.

"The implications of this breach are extensive," said the firm.

VpnMentor said it had contacted YouHodler on July 22, which responded a day later and fixed the issue.

YouHodler's website indicates that it has served over 3,500 customers and provided over $10 million in loans.

In its own blog post on the breach, YouHodler claimed the exposed files "did not contain any sensitive information and no one was affected."

The first part of that statement flies in the face of the researchers' findings, however. Rotem and Locar provided screengrabs of the data (with portions hidden to conceal user data) that seem to back up the claim that they were able to find CCVs (top image) and card numbers (bottom image) in the logs.

CoinDesk - Unknown

CoinDesk - Unknown

The team said "The first example shows that we still found all of the details needed to take full control of the card – including CVV numbers."

They added that, while the card holder’s name isn’t displayed in either of these logs, "numerous other records stored both names and credit card numbers together."

The researchers further found data allowing them to link users' names to bitcoin wallet addresses.

According to vpnMentor:

"The nature of the data that leaked from YouHodler’s database could have serious consequences. Any platform that stores credit card data should be taking several security precautions. If YouHodler only stored the BIN and last four digits of user credit cards, there wouldn’t be as much of an impact in this regard."

YouHodler said that it "understands user data is potentially at risk of being compromised from outside the platform," continuing:

"We do our best to prevent that from happening by implementing two-factor authentication and email verification. We are sure that all security settings are checked and renewed and there’re no vulnerabilities in our systems."

It seems its "best" wasn't good enough in this case.

Data image via Shutterstock; screengrabs courtesy of vpnMentor


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.