Customers have been advised to change their passwords and enable 2FA following a colossal security failure that gave malicious attackers the ability to seize control of Liquid’s DNS records.
The attack gave hackers access and control of some internal email accounts as well as access to the firm’s document storage infrastructure.
The hack was revealed last week by Liquid CEO, Mike Kayamori, who explained that the cryptocurrency exchange’s domain name hosting service incorrectly transferred control of its DNS records to a hacker last Friday.
As a consequence of this error, personal details of customers may now be in the hands of hackers.
The blog post on Liquid’s blog stated that:
“We believe the malicious actor was able to obtain personal information from our user database. This may include data such as your email, name, address and encrypted password. We are continuing to investigate whether the malicious actor also obtained access to personal documents provided for KYC (Know-Your-Customer) such as ID, selfie and proof of address, and will provide an update once the investigation has concluded.”
Mike Kayamori also apologized to their consumers claiming responsibility for the mistake that breached their data:
“We are extremely embarrassed at this compromise of personal information that commenced with a breach external to Liquid. We have always taken pride in our security of client data & assets to date, and this incident will encourage Liquid more than ever to raise the bar.”
“Once again, I apologize deeply for this humbling data breach and the loss of confidence that you may have. I assure you that we will be better and stronger and appreciate your continued support of Liquid.”
A hacker gaining control of an organizations DNS records is a big deal for a few different reasons – they not only have the power to redirect people attempting to visit your website to a server under their control, but they can also receive emails being sent to your business.
The attack is definitely a big blow for the firm which often describes themselves as “the world’s most comprehensive and secure trading platform”.
Fortunately for Liquid, they say that all client funds are “accounted for, and remain safe and secure. MPC-based and cold storage crypto wallets are secured and were not compromised.”
When changing passwords, always be sure to not use the same password twice or across multiple sites.