Over 161,400 users of ‘BuyUCoin’, a cryptocurrency exchange based in India, have reportedly been the victims of a personal data breach.

News of the breach originally broke on January 21st, when cybersecurity researcher, Rajshekhar Rajaharia posted screenshots of the leaked data on Twitter.

Trading in #cryptocurrency? 3.5 Lakh Users data including me leaked From @buyucoin. The leaked data contains Name, Email, Mobile, bank account numbers, PAN Number, Wallets Details etc. Again didn't informed to affected users by company.
Story – https://t.co/rUrfSQ96Z1#InfoSec pic.twitter.com/1xFOtLcd8F

— Rajshekhar Rajaharia (@rajaharia) January 21, 2021

Inc42, an Indian news outlet, reported that a group of hackers known as the ‘ShinyHunters’ was responsible for the leak. The group hacked into a database that contained names, bank account details, email addresses, phone numbers and tax identification numbers that belong to the exchange’s users. Data detailing certain users’ trading activities were also leaked.

The number of affected individuals was originally thought to be 325,000, all of the exchange’s users. However, Bleeping Computer later reported that the breach only seemed to have affected half of the exchange’s users.

CoinTelegraph reported that BuyUCoin initially either was not aware of the attack or was attempting to downplay the effects of the hack, claiming at first that not even a single customer was affected by the data breach; the statement also referred to the news of the attack as ‘rumors’.

However, eventually, the exchange released another statement saying that it was “thoroughly investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities.” Additionally, the exchange said that user funds were not affected, adding that 95% of the funds in its custody are kept in cold storage.

Personal Data Breaches Can Have Serious Consequences for Users

Moreover, Inc42 reported that ShinyHunters has leaked user data from other Indian companies, including “Juspay, Clickindia, Chqbook and Bigbasket.” Because each of these hacks resulted in a data ‘dump’, all of the data appears to have been stolen through breaches of the companies’ servers.

As cryptocurrency exchange asset custody has improved over the last several years, large-scale thefts of digital assets from crypto exchanges are less and less common. However, personal data breaches are still a fairly regular occurrence, and they can have dire consequences for users.

Beyond the risk of identity theft, users whose data has been breached often become the victims of phishing and data ransom attacks.

Following a data breach that affected a number of users of Ledger hardware wallets in mid-2020, Finance Magnates reported that competing hardware wallet firm, Trezor told its users to be wary of phishing attacks by malicious actors.

Indeed, Trezor suggested that the attackers were using data obtained from the hack of Ledger’s e-commerce database and blindly sending texts to customers. The texts contained fake phishing links for the users to enter their seeds.