Password data and other pieces of personal data belonging to as many as 1.4 million accounts on the Gatehub cryptocurrency wallet service and 800,000 accounts on RuneScape bot provider EpicBot have been posted online, according to a November 20th report by Dan Goodin, Security Editor at Ars Technica. The leaks were discovered by Troy Hunt, a security researcher who runs the Have I Been Pwned security breach notification service.

The leaked data includes email addresses and passwords associated with both sites that were originally cryptocurrency hashed with bcrypt, which Goodin described as “a function that’s among the hardest to crack.”

The individual who posted the Gatehub database said that the data includes over 3.7 gigabytes worth of two-factor authentication keys, mnemonic phrase wallet recovery seeds, and even wallet hashes. The data was posted to a popular hacker site in August.

However, following an investigation, GateHub officials have said that it seems that there were no wallet hashes--which ostensibly means that while personal data was compromised (personal data that could be used to access crypto accounts), no private keys were directly exposed.

Still, at least one user has been notified by a separate service that his GateHub data had been breached:

The leaked user data from EpicBot, on the other hand, reportedly includes usernames and IP addresses.

GateHub appears to have become aware of the hack several months ago but underestimated its scale

According to an official statement from GateHub in July, the wallet service seems to have become aware that it was hacked three months before the post was made. However, GateHub said in the statement that hackers had “gained unauthorized access to a database holding valid access tokens of our customers.”

However, in the post, GateHub estimated that only 18,473 encrypted customer accounts were accessed--“ a very small fraction of our total user base.” The statement also said that “targeted information” included “email addresses, hashed passwords, hashed recovery keys, encrypted XRP ledger wallets secret keys (non-deleted wallets only), first names (if provided), [and] last names (if provided).” Not every piece of information was shared for each account.

The wallet service also explained that it had notified users whose accounts were accessed, re-encrypted sensitive information, and generated new encryption keys.

However, Goodin pointed out that “the statement didn't explain why the investigation has been unable to verify the authenticity of the data 25 days after it was posted and four months after it was first accessed. It was also unclear precisely what officials meant by ‘re-encrypted.’’

GateHub has been breached in the past

The data breach is not the only hack that GateHub has experienced this year. In June, roughly 100 XRP Ledger wallets were compromised on GateHub. The breach resulted in nearly $10 million worth of stolen funds.

In June, GateHub users were targeted by a Phishing scam. A number of users received emails from addresses that posed as GateHub, including “@gatehub.com” and “@gatehub.net.”

Finance Magnates reached out to GateHub for commentary but did not hear back by press time. Comments will be added to this story as they are received.

Password data and other pieces of personal data belonging to as many as 1.4 million accounts on the Gatehub cryptocurrency wallet service and 800,000 accounts on RuneScape bot provider EpicBot have been posted online, according to a November 20th report by Dan Goodin, Security Editor at Ars Technica. The leaks were discovered by Troy Hunt, a security researcher who runs the Have I Been Pwned security breach notification service.

The leaked data includes email addresses and passwords associated with both sites that were originally cryptocurrency hashed with bcrypt, which Goodin described as “a function that’s among the hardest to crack.”

The individual who posted the Gatehub database said that the data includes over 3.7 gigabytes worth of two-factor authentication keys, mnemonic phrase wallet recovery seeds, and even wallet hashes. The data was posted to a popular hacker site in August.

However, following an investigation, GateHub officials have said that it seems that there were no wallet hashes--which ostensibly means that while personal data was compromised (personal data that could be used to access crypto accounts), no private keys were directly exposed.

Still, at least one user has been notified by a separate service that his GateHub data had been breached:

The leaked user data from EpicBot, on the other hand, reportedly includes usernames and IP addresses.

GateHub appears to have become aware of the hack several months ago but underestimated its scale

According to an official statement from GateHub in July, the wallet service seems to have become aware that it was hacked three months before the post was made. However, GateHub said in the statement that hackers had “gained unauthorized access to a database holding valid access tokens of our customers.”

However, in the post, GateHub estimated that only 18,473 encrypted customer accounts were accessed--“ a very small fraction of our total user base.” The statement also said that “targeted information” included “email addresses, hashed passwords, hashed recovery keys, encrypted XRP ledger wallets secret keys (non-deleted wallets only), first names (if provided), [and] last names (if provided).” Not every piece of information was shared for each account.

The wallet service also explained that it had notified users whose accounts were accessed, re-encrypted sensitive information, and generated new encryption keys.

However, Goodin pointed out that “the statement didn't explain why the investigation has been unable to verify the authenticity of the data 25 days after it was posted and four months after it was first accessed. It was also unclear precisely what officials meant by ‘re-encrypted.’’

GateHub has been breached in the past

The data breach is not the only hack that GateHub has experienced this year. In June, roughly 100 XRP Ledger wallets were compromised on GateHub. The breach resulted in nearly $10 million worth of stolen funds.

In June, GateHub users were targeted by a Phishing scam. A number of users received emails from addresses that posed as GateHub, including “@gatehub.com” and “@gatehub.net.”

Finance Magnates reached out to GateHub for commentary but did not hear back by press time. Comments will be added to this story as they are received.