A theft of personal data of Gemini crypto exchange customers has occurred.
However, the theft did not occur on the exchange’s servers, but on those of another unidentified platform that nevertheless held personal data of the exchange’s users.
According to the official version, it was “an incident at a third-party vendor.”
Summary
The crypto exchange Gemini
Gemini is one of the largest US crypto exchanges, based in New York.
It does not have the volumes of Coinbase, but because it is regulated under the laws of New York State, i.e., one of the strictest in the financial sphere, it has many customers who seek very high levels of security and compliance.
So it would be very surprising if the attack was carried out against them, but it turns out the vulnerability exploited actually involved a third-party vendor.
It is now increasingly the case that crypto exchanges are interacting, often via automated bots, with other external platforms, where security levels are sometimes far lower.
The theft of data
The official version of the incident is that it allegedly resulted in the theft of Gemini customers’ e-mail addresses, and part of their phone numbers. Fortunately, however, no information related to Gemini accounts appears to have been stolen, and the exchange was not affected by this incident.
Thus the hackers were only able to get hold of a list of e-mail addresses (about 5.7 million) and incomplete phone numbers.
It turns out, in fact, that they then used them to launch a phishing campaign against Gemini’s customers.
In other words, they sent emails to the addresses they collected through the theft posing as Gemini and probably somehow asking for login information. Not surprisingly, Gemini suggested its customers to change the email address of their account, but especially to activate the 2FA login so that it would be impossible to access the account with only a username and password.
The exchange right now claims to have about 13 million users, so the number of stolen emails is a little less than half.
What is at risk for customers of the Gemini crypto exchange
In reality, with the email address alone, hackers can do very little, except to send messages asking for login credentials, posing as Gemini.
A different matter would be if they managed to gain access to the platform used to read the messages sent to those addresses, that is, if they managed to hack those emails. In that case, in fact, they could request the exchange to change the password, set a new one, and get in.
Obviously, it would be better if the email accounts were not hackable, but not everyone uses well-protected accounts with complex passwords and perhaps 2FA login.
The same thing applies to accounts on the exchange, because in the case of a very weak password, and no 2FA, hackers in possession of the email address could try to log in using the email as a username and trying a few random simple passwords hoping to guess the right one.
This is why it is always recommended both to use complex passwords, i.e., not easily guessable, and especially to enable login with 2FA, i.e., with confirmation via cell phone, or even better via app.
Also because cases like these have happened before, and will surely happen again in the future.
Phishing
Phishing, used by hackers to try to get Gemini users to volunteer their login credentials, is an extremely common technique.
In fact, it is very easy to send an email message that appears to have any email address as the sender, even one belonging to others, and it is also very easy to copy the graphic layout of original emails.
Thus, when hackers got hold of the email addresses of millions of Gemini’s customers, they created messages that mimicked the exchange’s usual ones and sent them to those addresses. The goal of this message was twofold: to convince unsuspecting recipients that it was a message from Gemini, and at that point convince them to send their exchange login credentials to a hacker website. It is not known how many took the bait, partly because this technique does not work in the case of 2FA.
In fact, logging in through 2FA requires not only a username and password but also an additional code that the customer does not know and in fact, must be sent to him or her by the exchange itself. With phishing emails, it is extremely difficult to have such a code sent.