Bitcoin
$63,587.45+1.71%
Ethereum
$3,184.09-0.53%
Binance Coin
$592.97+0.01%
Solana
$136.97+0.70%
XRP
$0.51378042+1.28%
Dogecoin
$0.14358464-0.67%
Toncoin
$5.38+0.57%
Cardano
$0.45888656+1.00%
Shiba Inu
$0.00002415+1.51%
Avalanche
$35.08+4.64%
Tron
$0.11967146-0.79%
Wrapped Bitcoin
$63,584.73+1.49%
PlayIconNav
Crypto Prices CoinDesk 20 Index CoinDesk 20 Index
Countdown to Consensus 2024The largest and longest running event that covers all sides of Crypto and Web 3
29
DAYS
08
HR
43
MIN
31
SEC
Markets

Crypto Loans Firm Left Thousands of Users' Financial Data Exposed

Crypto loans platform YouHodler left a database with millions of logs containing users' private financial data unprotected, researchers found.

By Daniel Palmer
AccessTimeIconJul 25, 2019 at 11:40 a.m. UTC
Updated Sep 13, 2021 at 11:14 a.m. UTC
Binary data
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Cryptocurrency loans platform YouHodler left millions of records containing private financial data from thousands of users exposed online, researchers found.

In a blog post, vpnMentor said its research team, led by Noam Rotem and Ran Locar, discovered a database leak as part of their web-mapping project and traced it back to YouHodler.

The data, they found, exposed comes to more then 86 million records that includes users’ names, email addresses, home addresses, phone numbers and birthdays. It gets worse. Credit card numbers, CVV numbers, bank details and crypto wallet addresses were also exposed in the data.

"The implications of this breach are extensive," said the firm.

VpnMentor said it had contacted YouHodler on July 22, which responded a day later and fixed the issue.

YouHodler's website indicates that it has served over 3,500 customers and provided over $10 million in loans.

In its own blog post on the breach, YouHodler claimed the exposed files "did not contain any sensitive information and no one was affected."

The first part of that statement flies in the face of the researchers' findings, however. Rotem and Locar provided screengrabs of the data (with portions hidden to conceal user data) that seem to back up the claim that they were able to find CCVs (top image) and card numbers (bottom image) in the logs.

youholder-ccv-data
youhod-card-data

The team said "The first example shows that we still found all of the details needed to take full control of the card – including CVV numbers."

They added that, while the card holder’s name isn’t displayed in either of these logs, "numerous other records stored both names and credit card numbers together."

The researchers further found data allowing them to link users' names to bitcoin wallet addresses.

According to vpnMentor:

"The nature of the data that leaked from YouHodler’s database could have serious consequences. Any platform that stores credit card data should be taking several security precautions. If YouHodler only stored the BIN and last four digits of user credit cards, there wouldn’t be as much of an impact in this regard."

YouHodler said that it "understands user data is potentially at risk of being compromised from outside the platform," continuing:

"We do our best to prevent that from happening by implementing two-factor authentication and email verification. We are sure that all security settings are checked and renewed and there’re no vulnerabilities in our systems."

It seems its "best" wasn't good enough in this case.

Data image via Shutterstock; screengrabs courtesy of vpnMentor

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.