Singapore-based cryptocurrency exchange Liquid, the 18th largest exchange in the world by volume, has been hacked and customer data stolen.

Detected on Nov. 13, the hack wasn’t a direct attack on the company’s infrastructure. Instead, it involved a domain name hosting provider that manages one of company’s domain names incorrectly transferring control of the account and domain to a malicious actor.

With this access, those behind the attack changed domain name server records and took control of some of the company’s email accounts. The hacker also partially compromised Liquid’s infrastructure and gained access to storage.

Upon detecting the attack, Liquid shut down access and took action to prevent further intrusions and to mitigate the risk to customer accounts and assets. The good news is that those behind the attack did not manage to steal any funds from Liquid users and all client funds were accounted for.

That said, some customer data is believed to have been stolen, including emails, names, addresses and encrypted passwords. Liquid is investigating whether those behind the attack also gained access to personal documents provided for Know Your Customer compliance such as copies of identification cards, selfies and proof of address details.

Liquid warned its customers that the stolen data could be used for identity theft, spam email and phishing attempts.

“Regulators mandate that cryptocurrency exchanges collect and maintain KYC data, but choosing the right solutions provider matters,” Jose Caldera, chief product officer at identity verification firm Acuant Inc., told SiliconANGLE. “It is important to implement solutions that not only perform KYC, but that can also maintain KYC for exchanges, enabling them to have access to data without storing it. However, they must ensure that their KYC providers and their data partners are extremely secure. SOC-2 and PCI are examples of credentials that should be sought in a provider along with data protection in place.”

Vinay Sridhara, chief technology officer of security posture visibility company Balbix Inc., noted that the incident is another reminder of the importance of basic cyberhygiene, since DNS hijacking attacks have been fairly common against cryptocurrency services over the past few years.

“DHS hijackings happen when users are unknowingly redirected to a malicious site. In this incident, Liquid’s employees were redirected to fake login pages where their email credentials were collected and later used to access the company’s internal infrastructure,” Sridhara said. “Through this, the intruder was able to obtain the names, home addresses, emails, and encrypted passwords of users. Cryptocurrency organizations that collect transactional data must be continuously monitoring all IT assets across hundreds of potential attack vectors to detect vulnerabilities.”

Image: Liquid