Fractal ID, a blockchain identity platform, disclosed a data breach that occurred on July 14. According to a notice on Fractal’s website, the breach involved an attacker gaining access to an operator’s account, resulting in the exposure of a small portion of users’ personal data. Fractal ID’s partners include Gnosis Pay, decentralized finance app Acala, the proof of personhood project Polygon ID, social media platform Lukso, and other Web3 applications.
While Fractal did not specify which partners were impacted, some users on the social media platform X reported receiving warning emails from Gnosis Pay, advising them to “be cautious of unsolicited communications.”
The breach affected about 0.5% of Fractal ID’s user base. The notice stated that “A third party external to Fractal ID gained unauthorized access to an operator’s account and ran an API script at 05:14 am UTC to access users’ personal data.” The Fractal team identified the breach and terminated the attacker’s access by 07:29 am UTC, limiting the breach to two hours and 14 minutes.
The potentially compromised data includes names, email addresses, wallet addresses, phone numbers, physical addresses, and images of uploaded documents. Fractal assured users that the breach was contained within their environment and did not impact clients’ systems or products. However, they advised affected users to remain vigilant against unsolicited requests for additional personal information.
In the cryptocurrency sector, most jurisdictions require exchanges and payment providers to record and store KYC information, which can include users’ identity documents, names, addresses, and other sensitive data. Proponents argue that KYC requirements help prevent money laundering, while critics highlight the risks of personal data breaches.
As the blockchain and cryptocurrency industries continue to develop, safeguarding sensitive user data remains a significant challenge for service providers.