Cryptocurrency exchange Liquid has confirmed it was hacked, but that the scope of the incident is still under investigation.
The company’s chief executive Mike Kayamori said in a blog post the attack happened on November 13. The hacker gained access to the company’s domain records, allowing the hacker to take control of several employee email accounts, and later compromised the company’s network.
Kayamori said that while cryptocurrency funds are “accounted for,” the hacker may have accessed the company’s document storage. “We believe the malicious actor was able to obtain personal information from our user database. This may include data such as your email, name, address and encrypted password,” he said.
The company said it was “continuing to investigate” if the hacker gained access to documents that users submitted to verify their identity with the exchange, such as a government-issued ID, selfie, or proof of address, which could put users at a heightened risk of identity theft or for targeted attacks.
Liquid told users in an email that they should change their passwords to be safe.
Attacks that target a company’s network infrastructure take advantage of weak or reused passwords that were used to register the company’s domain name. By breaking in and changing those network settings, attackers can invisibly control the network and gain access to email accounts and systems that would be far more difficult through other routes of attack.
Cryptocurrency startups and exchanges are high-value targets for hackers, given the potential for massive financial rewards of a successful breach. In 2018, Nano saw $170 million stolen in a breach, Coinrail lost $40 million after a hack, Bithumb lost $30 million, and Binance and Coincheck each lost a massive $400 million after hackers broke in.
Liquid was founded in 2014, and claims to have facilitated the trade of $50 billion in cryptocurrency over the past year.