Why hasn’t Fractal ID addressed its possible data breach?

Fractal ID Fractal ID

Crypto sleuth ZachXBT has called out the team behind Fractal ID for not addressing a data breach from last week. ZachXBT underlines that last week’s breach reports contained “personal photos, bank statements, wallet addresses, proof of address involving 300K users. This was on Oct 16, but it’s now Oct 21.”

Fractal ID under fire for incompetence

On October 17th, 2024, the Stormous ransomware gang claimed they had successfully stolen over 10 gigabytes of customer data from Web3 identity outfit Fractal ID. Stormous claimed this on its darknet leak platform and elaborated further on its Telegram channels.

A spokesperson of the ransomware-as-a-service operation said in a Telegram post, “We have extracted over 10GB of DATA from the KYC system of Fractal ID and some of its other systems […] The breach includes more than 300,000 users linked to Fractal ID clients in its KYC service.”

Stormous  added, “The total amount of data we managed to access exceeded 10 GB [to] 12GB, including personal photos, bank statements, proof of address, and ETH/BTC addresses.”

Advertisement

That’s not all. The hacker group promised to publish a report on Fractal ID’s “data protection” soon. In a tweet on X, ZachXBT says, he “Would have expected after your last security incident your team would be on top of this to reassure all of your users.” What was he talking about?

The current hack would be the second cyber security incident Fractal ID has suffered in 2024. On 14 July, the entity was hacked, impacting 6,300 users. 

In a 19 August blog post. Fractal ID explained what happened in July: “The breach on July 14th, 2024, was carried out by an unauthorized party who gained access using compromised operator credentials […] This access allowed the extraction of data through an API using privileged administrative rights.”

Fractal ID has yet to address the hacking claims as of this publication.

Advertisement

This is a developing story.