Turkish crypto exchange acknowledges 2018 breach with 500,000 users’ data stolen

Criminals tried to sell users’ names, ID numbers, emails and addresses on internet forums.

Major Turkish crypto exchange BtcTurk came forward about a data breach from mid-2018 that leaked sensitive information of over 500,000 users. 

According to the official announcement, the stolen data set contains BtcTurk users’ names, citizen ID numbers, emails, addresses, birthdates and mobile phone numbers. 

The stolen data set first appeared on an online forum for sale last Friday with sample information as proof. The seller claimed that the information also contains user selfies with ID, a common approval requirement for crypto exchanges.

Over the weekend, users who came across their personal information in the sample data used crypto Twitter to share their findings. At the time, BtcTurk denied the allegations and stressed that no current data breach is detected.

The company acknowledged the leaked user data on Monday, stating that the data set contains sensitive info of 516,954 users registered to the exchange before July 2018. BtcTurk said that users’ funds were safe. Shortly before the official announcement, the forum thread that was selling the leaked data was removed.

“The leaked data sample is related to a raw data extracted from our database in July 2018 that was about to be shared with one of our partners within the scope of the law.”

BtcTurk security team has deduced that a security breach within the storage medium caused the leak.

User passwords that are part of the leaked data set were irreversibly masked with a PBKDF2 algorithm, which renders any attempt to retrieve passwords impossible with current technology.

The announcement assured users that the balance info, bank accounts, ID selfies, financial passwords and other qualified info are safe. The exchange said that it is reaching out to potential victims of the data leak.