Liquid, one of today's top 20 cryptocurrency exchange portals, has disclosed a security breach on Wednesday.
In a blog post on its website, the company said that last week, on Friday, November 13, a hacker managed to breach employee email accounts and pivot to its internal network.
The company said it detected the intrusion before the hacker stole any funds, but a subsequent investigation revealed that the attacker was able to collect personal information from Liquid's database that stored user details.
Stolen information included real name, home address, emails, and encrypted passwords.
Liquid CEO Mike Kayamori said the company is still investigating if the intruder was able to steal proofs-of-identity that all users must provide when making their first transaction on the platform.
"We do not believe there is an immediate threat to your account due to our use of strong password encryption. Nevertheless, we recommend that all Liquid customers change their password and 2FA credentials at the earliest convenience," Kayamori said.
Another social engineering attack leading to a DNS hijack
The company blamed the intrusion on its domain name provider, which fell victim to a social engineering attack and incorrectly transferred Liquid's account to the hacker.
Immediately after gaining control of this account, Liquid said the attacker hijacked the company's DNS records, pointing incoming traffic to a server under their control.
The hacker is believed to have used access over the company's DNS records to redirect employees to fake login pages and collect their work email credentials, which they later used to access employee work email accounts, and later pivot to Liquid's internal infrastructure.
DNS hijacking attacks like these are bold, but they have also been very common against cryptocurrency services over the past few years. For example:
- In June 2020, a hacker hijacked Coincheck's DNS records to redirect users to fake login pages and eventually collected passwords for 200 accounts.
- In August 2018, a hacker hijacked the DNS records of MyEtherWallet to collect private keys for user wallets.
- In January 2018, hackers hijacked the servers of BlackWallet.com and managed to steal over $400,000 of Stellar Lumen (XLM) funds.
- In December 2017, a hacker hijacked EtherDelta's DNS records to redirect traffic to a clone where he logged user credentials and then stole customer funds.
- In October 2017, a hacker hijacked the domain for the Etherparty ICO.
- In July 2017, a hacker also hijacked the domain of Classic Ether Wallet to collect user wallet passwords.