A Bloomberg report on Sunday claimed that crypto exchange Crypto.com allegedly failed to disclose a 2023 security incident involving user data.

However, the company has denied the accusation and says it filed the breach with regulators and contained the issue within hours.

According to the report, the data breach in question likely occurred in early 2023 and was orchestrated by members of Scattered Spider, a cybercriminal group known for targeting corporations with social engineering tactics. 

Investigators say the hackers gained access to internal Crypto.com systems by impersonating IT staff and tricking employees into handing over credentials.

Once inside, they reportedly accessed sensitive user information.

The attackers, including then-teenager Noah Urban, allegedly used stolen personal data, some of it obtained via a compromised UPS system, to support their phishing operation. 

Bloomberg’s investigation links the incident to a bigger spree in which Scattered Spider infiltrated over 200 companies across different sectors using similar tactics. 

In Crypto.com’s case, the breach reportedly affected a limited set of users, though the exact scope remains unclear due to the platform’s initially silent handling of the matter.

Critics have argued that Crypto.com’s failure to publicly disclose the breach in a timely and transparent manner may have put affected users at further risk. 

Blockchain sleuth ZachXBT accused the exchange of deliberately covering up the incident and claimed it wasn’t the first time the platform had been linked to undisclosed security lapses. See below.

Bad news: Your team covered up a breach that impacted the personal information of your users

Some industry observers also questioned whether the exchange had adequately notified impacted users, noting that such incidents could expose them to phishing, identity theft, or follow-up attacks.

In response, Crypto.com has strongly pushed back against the cover-up claims. 

A company spokesperson told crypto media that the firm had filed a “Notice of Data Security incident” with the U.S. Nationwide Multistate Licensing System (NMLS) and also submitted reports to the relevant regulators. 

Crypto.com has stressed that the incident was quickly identified and contained within a few hours.

“The incident included exposure of limited PII data affecting a very small number of individuals,” the spokesperson said, while claiming that no customer funds were accessed or placed at risk.

Crypto.com CEO Kris Marszalek has also spoken up regarding Bloomberg’s claims and described the report as based on “uninformed sources.”

“I want to directly and clearly address some misinformation spreading from uninformed sources….any suggestion that we did not report or disclose a security incident is completely unfounded,” Marszalek wrote on X.

Just as the dust was beginning to settle around past exchange breaches, the Bloomberg revelations have stirred fresh doubts about how secure user data really is on centralized platforms.

Coinbase, a major name in the crypto exchange market, found itself at the center of a major data leak that compromised the personal information of over 69,000 users. 

Unlike Crypto.com, the Coinbase breach was directly the result of insider misconduct at TaskUs, a third-party customer support vendor it had employed.

According to court filings, a TaskUs employee named Ashita Mishra and her accomplices stole user records over several months and sold them to hackers who later used the data for impersonation scams.

No funds were lost, but Coinbase came under a lot of heat for failing to promptly report the incident to its customers, leaving many exposed to phishing attempts and identity theft risks.

The fallout forced Coinbase to sever ties with TaskUs, overhaul its support operations, and spend as much as $400 million on remediation efforts.

The post Crypto.com denies failing to disclose 2023 user data leak appeared first on Invezz

205 +