LiteBit.eu — a multi-currency exchange based in the Netherlands — has suffered data breaches two months in a row.
According to emails sent to affected customers after each event, no Bitcoin or altcoin funds were stolen in any of these two incidents.
The company says the attacker only pilfered user personal information, such as emails, hashed passwords, bank account numbers (IBANs), telephone numbers, and home addresses.
While LiteBit was lucky that no currency was stolen, it shows a continued lack of security precautions being taken by exchanges who keep reporting breaches. Furthermore, the information being stolen is obviously of concern to the victims as it could lead to identity theft or to other accounts being hacked by the attackers
August 2017 breach
The first incident took place on August 5, and the company sent out the following email to affected customers after it detected suspicious activity on one of its servers and fixed the security hole.
On August 5, 2017 we observed unusual activities on LiteBit's servers. Unfortunately, we have concluded that there has been unlawful access to LiteBit data. No LiteBit wallet servers have been broken, all coins of customers are safe. Also, there are no verification documents (ID or passport) involved in this incident.
The cause of the leak is known, and the problems have now been solved. It is not clear whether data has actually been stolen. In the worst case, an unauthorized person has gained access to yours; Email address, encrypted password, IBAN, phone number, address and your portfolio data.
What does this mean to you? For users who have 2-step authentication, it's very important that they reset it. We also recommend that you enable this additional security measure, for customers who have not already done so.
In addition, it is important to change your password regularly.
September 2017 breach
The second breach took place last week, on September 12, six weeks after the first incident. This time around, the source of the breach was with one of LiteBit's "suppliers."
Again, the exchange said the hacker made off only with PII and user funds remained secure. Authorities have been informed. The content of the second email is below.
We regret to inform you that on the 12th of september 2017 a supplier to LiteBit has become the victim of a cyberattack. Sadly, the attack also concerned a LiteBit server. We are currently investigating the scope of the attack. Sadly we have to conclude that an unauthorized person has had access to your; email address, hashed password, IBANs, phone number, address and portfolio data.
There has, however, been no breach of the LiteBit wallet servers. All coins belonging to customers are safe. Also, no verification documents have been accessed during the incident.
It is of high importance that you reset your 2FA settings, you can read more about this here: LiteBit 2FA.
We understand that the recent problems at LiteBit and our supplier have damaged your trust in oour organization. We want to show our deepest remorse. We have already taken measures and we will keep improving and expanding on these measures in the future in home to regain trust your trust. We have reported this incident to the police and the Dutch Data Protection Authority.