Password data and other pieces of personal data belonging to as many as 1.4 million accounts on the Gatehub cryptocurrency wallet service and 800,000 accounts on RuneScape bot provider EpicBot have been posted online, according to a November 20th report by Dan Goodin, Security Editor at Ars Technica. The leaks were discovered by Troy Hunt, a security researcher who runs the Have I Been Pwned security breach notification service.
The leaked data includes email addresses and passwords associated with both sites that were originally cryptocurrency hashed with bcrypt, which Goodin described as “a function that’s among the hardest to crack.”
The individual who posted the Gatehub database said that the data includes over 3.7 gigabytes worth of two-factor authentication keys, mnemonic phrase wallet recovery seeds, and even wallet hashes. The data was posted to a popular hacker site in August.
However, following an investigation, GateHub officials have said that it seems that there were no wallet hashes--which ostensibly means that while personal data was compromised (personal data that could be used to access crypto accounts), no private keys were directly exposed.
Still, at least one user has been notified by a separate service that his GateHub data had been breached:
@troyhunt Just got word from Experian's IDNotify that my credentials for @GateHub were found compromised on the dark web. FYI in case you were getting any news about a GateHub breach or hack.
— Aashish Koirala (@aashishkoirala) November 14, 2019
The leaked user data from EpicBot, on the other hand, reportedly includes usernames and IP addresses.
GateHub appears to have become aware of the hack several months ago but underestimated its scale
According to an official statement from GateHub in July, the wallet service seems to have become aware that it was hacked three months before the post was made. However, GateHub said in the statement that hackers had “gained unauthorized access to a database holding valid access tokens of our customers.”
However, in the post, GateHub estimated that only 18,473 encrypted customer accounts were accessed--“ a very small fraction of our total user base.” The statement also said that “targeted information” included “email addresses, hashed passwords, hashed recovery keys, encrypted XRP ledger wallets secret keys (non-deleted wallets only), first names (if provided), [and] last names (if provided).” Not every piece of information was shared for each account.
The wallet service also explained that it had notified users whose accounts were accessed, re-encrypted sensitive information, and generated new encryption keys.
However, Goodin pointed out that “the statement didn't explain why the investigation has been unable to verify the authenticity of the data 25 days after it was posted and four months after it was first accessed. It was also unclear precisely what officials meant by ‘re-encrypted.’’
GateHub has been breached in the past
The data breach is not the only hack that GateHub has experienced this year. In June, roughly 100 XRP Ledger wallets were compromised on GateHub. The breach resulted in nearly $10 million worth of stolen funds.
With less than 1 million XRP left in possession of the perpetrators, we have published an update on the Gatehub hack, summarising what we know per today.https://t.co/XQUGbD66DW
— XRP Forensics (@xrpforensics) June 17, 2019
In June, GateHub users were targeted by a Phishing scam. A number of users received emails from addresses that posed as GateHub, including “@gatehub.com” and “@gatehub.net.”
Got phishing mail to my gatehub-unique email address. DB leak? https://t.co/RJe4Dem1Qp pic.twitter.com/XhtB2drPsD
— Jason Fernandes (@TokenJay) November 15, 2019
Finance Magnates reached out to GateHub for commentary but did not hear back by press time. Comments will be added to this story as they are received.