A hacker, or group, claims to have hacked into the server of Vietnamese crypto trading app Onus and stolen the personal data of over 1.9 million users on December 25. The data has been put up for sale on a forum, where similar data sets are often offered to buyers.
“To ensure users’ safety, we’ve actively worked with security experts to find vulnerabilities and implement additional methods to improve the whole system’s security. We also carried out an upgrade to the asset management and storage system,” Onus tweeted on Monday, adding that affected users should change their passwords to protect their accounts and assets.
One day before the data went up for sale, Onus, a crypto exchange app that launched in March 2020, said that its team had detected “a large-scale cyberattack” that took place on December 24. At the time, Onus did not indicate the number of customers whose data may have been compromised.
“Through a security hole, a third party was able to gain unauthorized access to and steal certain critical Onus data,” the firm said in an announcement, adding that customers’ assets were not affected by the incident.
The data breach exposed sensitive personal information like users’ legal names, contact information, addresses, encrypted passwords, and transaction history. In particular, copies of ID cards, images of which are uploaded for know-your-customer (KYC) purposes, could be used for identity fraud and other crimes.
The hacker (or hackers), who goes by “vndcio,” said that most of the users whose data was exploited are Vietnamese. After posting images of IDs belonging to users in Vietnam, India, and Indonesia, vndcio also posted two KYC clips in which users filmed their faces from different angles for identity verification.
Failure to apply managerial, technical, and physical measures to protect personal data could result in a fine of VND 60 to 80 million (USD 2,640 to 3,500), according to Vietnam’s latest decree on personal data protection, which went into effect on Dec. 1.