Cryptocurrency exchange Liquid has confirmed it was hacked, but that the scope of the incident is still under investigation.
The company’s chief executive Mike Kayamori said in a blog post the attack happened on November 13. The hacker gained access to the company’s domain records, allowing the hacker to take control of several employee email accounts, and later compromised the company’s network.
Kayamori said that while cryptocurrency funds are “accounted for,” the hacker may have accessed the company’s document storage. “We believe the malicious actor was able to obtain personal information from our user database. This may include data such as your email, name, address and encrypted password,” he said.
The company said it was “continuing to investigate” if the hacker gained accessed to documents that users submitted to verify their identity with the exchange, such as a government-issued ID, selfie, or proof of address, which could put users at a heightened risk of identity theft or for targeted attacks.
Liquid said in an email to users that they should change their password, but opted not to force reset user accounts due to its use of a strong password scrambler.
Attacks that target a company’s network infrastructure take advantage of weak or reused passwords used to register a domain name. By changing network settings, attackers can invisibly control the network and gain access to email accounts and systems that would be far more difficult through other routes of attack.
Cryptocurrency startups and exchanged are high-value targets for hackers, given the potential for massive financial rewards of a successful breach. In 2018, Nano saw $170 million stolen in a breach, Coinrail lost $40 million after a hack, Bithumb lost $30 million, and Binance and Coincheck each lost a massive $400 million after hackers broke in.
Liquid was founded in 2014, and claims to have facilitated the trade of $50 billion in cryptocurrency over the past year.