The hacker used a SIM swapping technique to take control over an employee's phone number, reset the employee's email password, and gain access to the email account, along with accounts on the BlockFi platform.
BlockFi said the attacker had access to its platform for approximately 86 minutes, during which they tried and failed to steal BlockFi customer funds.
"Every action the unauthorized third party took with respect to our systems was logged, and BlockFi was able to confirm that no funds, passwords, social security numbers, tax identification numbers, passports, licenses, bank account information, nor similar non-public identification information was exposed as a result of this incident," BlockFi said.
However, BlockFi says the attacker was able to access and view BlockFi client information typically used by the company for retail marketing purposes.
This included details such as:
Name as listed on the account
Date of birth
Physical address as listed on the account
"Due to the nature of the information that was leaked, we do not believe there is any immediate risk to BlockFi clients or company funds," the company said.
Following the incident, BlockFi is now recommending that users enable a multi-factor authentication solution for their accounts and activate a wallet whitelist that prevents hackers from transferring funds to accounts not on the whitelist.
The company also said it updated internal systems to limit employee access to retail marketing information, planned for future security audits and penetration tests, and upgraded its incident response procedures to promote faster lockdowns in the event of similar intrusions.
Recent SIM swapping-related incidents
SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card.
These types of attacks have been happening since the mid-2010s, but they have intensified since 2017 when cryptocurrency became mainstream.
And in cases where victims can't recover all their funds, some are filing civil lawsuits as well. Earlier this month, cryptocurrency investor Michael Terpin sued a New York teenager for using a SIM swap to steal more $23.8 million worth of cryptocurrency in 2018. Terpin previously sued AT&T for $240 million for failing to protect his phone number from SIM swapping attacks.
Cryptocurrency cyberattacks and breaches of 2019 (in pictures)