Transak, a fiat-to-crypto payment gateway provider, has reported a security incident which has impacted 92,554 of its users.
Attackers gained unauthorized access to one of the firm’s employee laptops through a sophisticated phishing attack.
The firm said that the attacker used compromised credentials to log in to the system of a third-party KYC vendor that the company uses for document scanning and verification services.
The attacker was then able to gain access to user information stores within the vendor’s dashboard.
Transak said personal information including names, dates of births, user selfies, and passport and other ID documents were accessed. The affected users make up 1.4% of Transak’s base.
No financially sensitive information, including email addresses, phone numbers, passwords, credit card details or Social Security Numbers , was compromised in any way, the firm said.
The company explained that because it operates as a fully non-custodial platform, user funds, whether fiat or cryptocurrency, are never held by Transak and remain secure and unaffected by any such attack.
“We deeply empathize with how frustrating and disappointing this must be for the affected users. Our top company priority is taking action to protect users and fix any vulnerabilities to ensure nothing like this ever happens again,” the company said in a statement issued on October 21.
There is no indication that the breached data has been misused. The firm will reach out to affected users with advice and resources.
Transak has informed relevant data protection authorities, including the Information Commissioner’s Office (ICO) in the UK and other regulators across the EU and US, with reviews for other countries in progress.
The company also said it is improving training, software and systems to prevent phishing and social engineering attacks on its team members and to limit any access or damage if an attack occurs.