BuyUCoin initially denied the reports of a data breach, but added that all user funds are safe.
Users of Indian crypto exchange BuyUCoin have reportedly been affected by a breach compromising personal data of more than 325,000 people.
According to a report from Indian news outlet Inc42, a hacking group by the name of ShinyHunters leaked a database containing the names, phone numbers, email addresses, tax identification numbers and bank account details of more than 325,000 BuyUCoin users. However, a later report from Bleeping Computer shows the leaked data may only contain information from 161,487 BuyUCoin members.
Cybersecurity researcher Rajshekhar Rajaharia posted screenshots of the leaked data — recorded until September 2020 — to Twitter last week, which included trading activity and BuyUCoin referral codes.
Trading in #cryptocurrency? 3.5 Lakh Users data including me leaked From @buyucoin. The leaked data contains Name, Email, Mobile, bank account numbers, PAN Number, Wallets Details etc. Again didn't informed to affected users by company.
Story – https://t.co/rUrfSQ96Z1#InfoSec pic.twitter.com/1xFOtLcd8F
— Rajshekhar Rajaharia (@rajaharia) January 21, 2021
BuyUCoin initially claimed that “not even a single customer was affected” by the data breach and referred to the reports as “rumors,” but has since released a statement saying it was “thoroughly investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities.” The exchange added that all user funds were “safe and sound within a secure environment” as it reported 95% were kept in cold storage.
Though no funds have reportedly been affected in the breach of the exchange, there are still potential risks to BuyUCoin users. Like the exchange’s customers, Ledger users had their personal data compromised in a June and July 2020 data breach affecting 272,853 people who ordered hardware wallets. Some users have since reported receiving threatening emails with demands for a crypto ransom to be paid within 24 hours or they will face “horrifying” consequences.
While real world attacks to steal crypto are much rarer than hacks or scams, they do occur. Whether concerned for their data or their physical well being, some BuyUCoin users expressed their frustration with the reports of the breach.
“What if someone used my account in any illegal activity?” said Rajaharia — also a BuyUCoin user — in a follow-up tweet, calling the exchange’s initial response “irresponsible.”
Cointelegraph reached out to BuyUCoin CEO Shivam Thakral for comment, but did not receive a response at the time of publication.