CryptoTrader.Tax has been hacked, this is a website that allows calculating the taxes to be paid on cryptocurrency transactions in various countries around the world.
The website also allows downloading a tax report, which means that it requests and stores personal data.
It seems that the hacker was looking precisely for that: the personal data of users registered on the website. In fact it seems that data of more than a thousand users has been stolen.
The hacker was able to access the website’s support platform thanks to a marketing and customer service account. With this access, the hacker could see the names, e-mail addresses, payment processor profiles and messages of the users.
After acquiring this information, he partially posted it on a dark web forum to attract potential buyers.
How did the CryptoTrader.Tax hack occur
The hack was confirmed by the co-founder and CEO of CryptoTrader.Tax, David Kemmerer, revealing that the unauthorized access occurred on April 7th with an account of a customer service employee.
He also confirmed that the hacker downloaded a file containing 13,000 lines of information, including 1,082 email addresses, and had access to information such as user income from commissions and affiliate revenues.
An internal investigation of the company revealed that the hacker didn’t gain access to users’ passwords, and no user accounts were compromised.
The company claims to have taken new measures to improve the security of the website and the monitoring systems.
This hack in some ways resembles the one that struck Twitter on July 15th, and at a time when many online platform operators are working in smart working, i.e. remotely, it should come as no surprise if attacks of this type were to increase.
In fact, it may not be particularly difficult to circumvent the protections thanks to social engineering attacks aimed at employees with access credentials to platforms for support or management.
In fact, it is very difficult for companies to control the actual operations of their employees when they are working in smart working, and in the case of employees who are not particularly careful, it may not be very difficult for experienced hackers to get hold of their access credentials, or even have them unwittingly handed over by the employees themselves.