Jump to content

Cryptocurrency loan site YouHodler exposed unencrypted user credit cards and transactions


Recommended Posts

A cryptocurrency loan startup exposed reams of customer credit cards and user transactions for almost a month — because it forgot to protect the server with a password.

Security researchers Noam Rotem and Ran Locar found the database belonging to YouHodler, a lending platform designed for cryptocurrency, which claims to have processed $10 million in loans to more than 3,500 customers. The researchers shared their findings exclusively with TechCrunch, and to verify the authenticity of the data. The researchers also wrote up their findings.

Once the researchers reported the leaking data, the company pulled the database offline.

The database contained 86 million lines of daily updating records of the lending platform, containing streams of logs and computer commands based on users’ interactions on the front-end website. That also included sensitive information such as every time a transaction or a loan went through.

Among the records we reviewed, we found records with enough information to make fraudulent card purchases — such as names, transaction amounts, and credit card numbers, including card verification numbers (CVV) and expiry dates.

None of the data was encrypted.

1 kibana data

One of the transaction records exposing unencrypted credit card data. (Image: TechCrunch)

Several other records seen by TechCrunch contained banking information, including names, addresses, bank account and routing numbers, SWIFT codes, and the transaction amount.

The database also contained customer phone numbers and in some cases passport numbers, according to the researchers.

“The amount of information included in the database makes stealing a users identity a simple task,” said Rotem and Locar.

Once the data had been secured, we reached out to YouHodler’s chief executive Ilya Volkov prior to publication but did not hear back.

It’s the latest exposed database in a stream of recent findings by the researchers in recent months.

The researchers have previously found data leaking on Fortune 500 firm Tech Data, exposed user records and private messages of Jewish dating app JCrush and leaking data from Canadian cell network Freedom Mobile, and online retailer Gearbest. Earlier in July, the researchers found an unprotected database belonging to Aavgo, which exposed user hotel bookings.

Read more:

Techcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=DPUsFBbc-08:nMKBnv6taxU:-BT Techcrunch?d=qj6IDK7rITs

View the full article

Link to comment
Share on other sites

  • 2 years later...

The one to watch out for is pre-calculated interest. It's where they calculate the interest then put it into the principal at the beginning of the loan. That way it is impossible to pay it back without paying every cent of interest. If you are late tho fees get added in.
Edit: both of these things ""pre-calculated"" in the apply to future payments are often hidden. You may have seen it but unless you recalculated the loan on your own you can't see it.
I am a financial nerd now partially because of things like this. I just had to know how it worked. I recalculate any loan I am a part of. For me better way was here https://usnetloan.com/title-loans/utah/

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

I can completely agree about frivolous debt. It is obvious to me that if you cannot afford something, then you should not buy it.  I even think you should not take any loan or mortgage because it is like slavery. If you cannot afford something – then you should not buy it. You can rent a house or an apartment, and you can even rent a car if you cannot afford one. You can do saving up instead of a mortgage because this seems to be the more logical way for my mind.  And if you don’t know what financial option to choose, then you can talk to someone like Mortgage Broker Sunderland, who can help you with it. Such people know better what is happening in the market and what will be the best decision.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
  • Create New...