QuickBit Privacy Breach

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

QuickBit

QuickBit provided real customer data to a contractor who was developing a MongoDB instance. This information was openly available for a few days, long enough to be discovered by security researchers. According to reports, data such as full name, address, login, and passwords were available (with no mention of encryption). QuickBit reports that nobody malicious appears to have gotten ahold of the data, and no reports were found of negative impact to customers.

This exchange or platform is based in Sweden, or the incident targeted people primarily in Sweden.

About QuickBit

"Quickbit is a Swedish fintech company, which was founded in 2016 with the goal that more people and companies should use cryptocurrency on an everyday basis. Our history is in payments and we are driven by our vision that it should be easy and cheap to make quick and secure payments. A part of our business is to offer solutions for e-merchants to be paid in cryptocurrency. Another part of our business is to offer user-friendly and secure solutions for people to easily use cryptocurrency in their everyday lives. We are doing all of this because we are convinced that the financial services of the future will be based on blockchain technology and cryptocurrency."

"QuickBit is a cryptocurrency retailer that allows customers to purchase cryptocurrency using a credit card." "Our more than 40 employees are based in four locations – Stockholm, Gibraltar, Tallinn and Lahore in Pakistan. Quickbit has been listed on NGM Nordic SME since July 2019." "Our vision is an economy without borders and we believe cryptocurrencies will play an important part of our everyday lives. We work with products that leverages the best of blockchain and fiat currency that are easy to use and bring actual value to the user." "Quickbit is a simple, fast, and secure way to integrate cryptocurrencies into your life." "The company went public on July 11 with a market cap of about $22 million."

“IS IT SAFE TO USE QUICKBIT? Yes! Our main priority is to keep clients’ personal data safe and secure. We take great precautions around the security of our systems and are constantly monitoring for any suspicious activities…”

"On July 2, 2019, Comparitech, along with security researcher Bob Diachenko, made the discovery. The exposure was the result of a publicly available MongoDB database." "On the 22nd of July, Coindesk reported that the Swedish cryptocurrency exchange QuickBit suffered an extensive data breach. According to the report, the digital asset platform unknowingly leaked the data of 300,000 customers via an unprotected MongoDB database."

"Bob Diachenko, who uncovered this particular leak, uses his extensive cybersecurity experience and knowledge to find supposedly secure data that may have been accidentally or intentionally exposed. When a leak is discovered, his first priority is finding out who it belongs to and alerting the relevant organization so they can secure the information."

"A QuickBit.eu database containing more than 300,000 records was left open such that anyone online could view its contents." "According to QuickBit, the breach resulted in data of users such as names, emails, physical addresses and even card information was exposed. The exchange has said it has estimated about 2% user data was left unprotected."

"The database held 301,470 ‘events’ records. An event presumably refers to a transaction that has taken place via the platform. The information for each transaction included the following: Full name, Full address, Email address, Gender, Profile level (Gold, Silver, or Bronze), Date of birth, Payment information (type of credit card used and first six and last four digits), Source currency and target currency (for example, USD to BTC), Transaction amount." "In addition to those records, we also discovered 143 records with internal credentials, including merchants, secret keys, names, passwords, secret phrases, user IDs, and other information."

"June 28, 2019: The database was first indexed by Shodan."

"July 2, 2019: We discovered the exposed data."

"July 2, 2019: Diachenko immediately notified QuickBit via email."

"July 3, 2019 (or sooner): Within 24 hours of Diachenko sending the notification, the MongoDB database in question was pulled offline." "The database was pulled offline within 24 hours of this notification."

"July 11, 2019: A second email requesting comment was sent by Diachenko to QuickBit’s general email address and to that of the managing director."

"July 13, 2019: We sent a third follow-up email to QuickBit’s managing director, a conversation with the operations team ensued."

"July 15th, 2019: QuickBit explained they take user privacy and security seriously commenced a full internal security audit following our conversation."

"July 19th, 2019: QuickBit published a report for their shareholders and the market outlining the issue" "Later that day, the exchange’s managing director Jörgen Eriksson wrote that external security experts warned the company that some data had been poorly protected."

"The leak, detailed by security researcher Paul Bischoff, first came to light after security aggregator Shodan noted the existence of the open database. QuickBit said that an outside contractor left the data unprotected while attempting a security upgrade."

"QuickBit has recently adopted a third-party system for supplementary security screening of customers. In connection with the delivery of this system, it has been on a server that has been visible outside QuickBits firewall for a few days, and thus accessible to the person who has the right tools."

"The exposed data included full names, addresses, email addresses, user gender, and dates of birth." "During the delivery period, a database has been exposed with information about name, address, e-mail address and truncated (not complete) card information for approximately 2% of QuickBit's customers."

"Perhaps the most concerning part of this leak is the 143 records that contained things like user IDs, passwords, and secret phrases. Depending on the platform setup and who this information pertains to, this data could potentially give malicious parties full access to registered accounts."

"As a result, anyone who obtained the data may be able to take over the account, carry out transactions, or view full payment information that can be used in credit card fraud. Criminals may even be able to access cryptocurrency balances held by the users involved."

"Plus, when passwords are involved, there is the danger that ID and password combinations could be used to hack other accounts. After all, an alarming 52% of users reuse passwords, making account takeover via credential stuffing a low-hanging fruit for cybercriminals."

"[T]he last four digits of a credit card, especially when coupled with detailed personal information, can be all it takes for a criminal to take over various accounts and even carry out identity theft. For example, a criminal might be able to use the last four digits of your credit card, along with your name, address, and date of birth, to convince a wireless carrier that they are an account holder for your account."

"Although we know how many records were exposed, it is unclear how many QuickBit users were affected by the leak. We also don’t know if any malicious parties accessed or copied information from the database during the roughly six days it was exposed." "The exchange has claimed that although data was bare and accessible to anyone who had the knowledge on how to access it, none of the data has been affected or copied."

"QuickBit added that the exposure did not impact any passwords, social security numbers, credit card information, cryptocurrency keys or financial transactions." "QuickBit stressed the following details had not been included in the security breach: No passwords or social security numbers have been exposed. No complete account or credit card information has been exposed. No cryptocurrency or keys for this have been exposed. No financial transactions have been affected."

"In addition to those records, we also discovered 143 records with internal credentials, including merchants, secret keys, names, passwords, secret phrases, user IDs, and other information," wrote Bischoff.

"QuickBit further claims that its technicians have taken steps to ensure that all servers are protected and prevent the possibility of similar incidents, adding that it will publish a public version of the incident report on its website." “The company has immediately taken the necessary measures to secure the system concerned. Our own initial investigation shows that neither QuickBit nor the company’s customers have been harmed”

"Data security is of utmost importance for QuickBit," they wrote. "We will publish a public version of the incident report on our website shortly."

This exchange or platform is based in Sweden, or the incident targeted people primarily in Sweden.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - QuickBit Privacy Breach
Date	Event	Description
June 28th, 2019 12:00:00 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?