— Anthony Sassano | sassal.eth (@sassal0x) May 19, 2020
According to the report from BlockFi, the account information that was accessed during the incident included name, email address, date of birth, postal address, and activity history. That said, all of BlockFi’s user funds, password, and non-public identification information – like a user’s social security number, tax identification numbers, passwords, etc. – were not accessed and no client or company funds were impacted during the incident.
BlockFi’s incident report stated that an employee’s phone number was breached and utilized by an unauthorized third party to access a portion of the platform’s database. This type of attack is also known as a SIM swap.
In response to the data breach, BlockFi took some additional precautions in order to eliminate and mitigate the chances of this attack occurring again. This includes security updates to BlockFi’s systems which further limits employee access to client information as well as updates to employee phone numbers and upgrades to BlockFi’s incident response protocol. While the data breach didn’t necessarily expose any sensitive information like social security numbers which would allow the attacker to open credit cards and/or bank accounts in the client’s name, BlockFi is urging users to set up additional security precautions to eliminate any further risks.
This includes setting up 2FA on users’ accounts and personal devices as well as turning on whitelisted addresses. By enabling whitelisted addresses on your BlockFi account, anytime you wish to withdraw, you will have to add a new whitelisted address which triggers a 72-hour delay. Ultimately, these two precautions can significantly reduce the risk in the instance that BlockFi is compromised in the future.
Trying to look at this with a glass half full mindset, it’s great to see a leading lending platform vamp up security prior to a hack which resulted in the loss of funds.
Taking a step back, a security breach for major centralized exchanges should be no surprise for many DeFi veterans. Generally speaking, these types of breaches emphasize the value and importance of non-custodial and decentralized solutions where users are responsible for securing their own funds. By doing so, DeFi users can eliminate centralization risk.
BlockFi also got incredibly lucky. Just as they announce a big data breach, BitMEX’s trading engine goes down and no one is talking about anything else. Tough break for BlockFi who I’m sure just lost trust of tons of customers
— Larry Cermak (@lawmaster) May 19, 2020
That said, there are tradeoffs to both. For users who leverage DeFi lending protocols, like Compound, all of your trading activity and holdings are publicly available. This can become an issue if users attach an identity-related ENS name (like their Twitter handle) to their Ethereum address which they actively use for interacting with major DeFi applications.
On the other hand, BlockFi and other centralized providers take the stress out of managing and securing your own private keys and others identify information with the caveat that these types of attacks and breaches occur on a rather regular basis for centralized exchanges. For reference, in 2019, centralized exchanges experienced a dozen data breaches over the course of the year, resulting in $292.6M worth of assets and ~510,000 user logins compromised in that year alone. However, as seen with the bZx hack, DeFi protocols are not immune to these types of attacks and breaches either.
With all of that in mind, we encourage all open finance users – centralized and decentralized – to take any and all necessary precautions when handling your crypto assets. This means practicing safe private key storage, setting up 2FA, adding whitelisted addresses, not doxing yourself via ENS and other measures for protecting your precious capital.
To stay up on the evolving BlockFi situation, be sure to follow the project on Twitter.
— Anthony […]