Kroll reveals FTX customer info exposed in August data breach

Risk and financial advisory company Kroll has released additional details regarding the August data breach, which exposed the personal information of FTX bankruptcy claimants.

Kroll said the exposed data included coin holdings and balances, which would allow threat actors to pinpoint attractive targets who invest heavily in the cryptocurrency markets.

"This letter provides important information that can help protect you and your digital assets against misuse of your personal data, including your name, email address, phone number, address, claim number, claim amount, FTX account ID, and/or coin holdings and balances, as well as, for a limited number of individuals, date of birth," the company said in letters sent earlier this month and spotted by Emsisoft threat analyst Brett Callow.

"Importantly, the incident did not affect any FTX systems or FTX digital assets. Further, Kroll does not maintain passwords to FTX accounts."

Just like in its August statement, Kroll advised all those affected by the incident to remain vigilant and take precautions to protect their accounts. Kroll also warned of potential incoming phishing emails, text messages, and social media messages aiming to deceive and gain unauthorized access to affected FTX customers' cryptocurrency accounts and digital assets.

The risk consulting company recommends those potentially at risk to:

• Never share your passwords, seed phrases, private keys, and other secret information with untrusted individuals, applications, websites, or devices.
• Never presume an email or other communication is legitimate because it contains information about their claim or FTX account.
• Always verify information that they receive from any other website about the FTX bankruptcy case or their claim by visiting the website of the Claims Agent, Kroll Restructuring Administration LLC: https://restructuring.ra.kroll.com/FTX/ or contacting Kroll Restructuring Administration at FTXquestions@kroll.com.

To protect assets against targeted phishing attacks, investors should store their crypto in cold wallets that make it more difficult to be stolen by threat actors.

BlockFi and Genesis creditors also affected

Kroll confirmed in a statement published on August 25 that one of its employees was a victim of a SIM-swapping attack after hackers targeted their T-Mobile account and stole their phone number. This allowed them to access "certain files containing personal information of bankruptcy claimants."

After Kroll's breach disclosure, phishing emails began targeting affected individuals impersonating FTX and claiming that the recipient was eligible to withdraw digital assets from their accounts. Additionally, the phishing messages matched the recipients' last known balance on the cryptocurrency platforms.

The attackers' ultimate goal was to trick the targets into giving away the seeds that protect their cryptocurrency wallets, allowing the hackers to empty them.

Even though Kroll handles restructuring cases for hundreds of organizations, a spokesperson told BleepingComputer after the August breach that the scope of the impact is limited to the FTX, BlockFi, and Genesis Global Holdco crypto-investment companies and their creditors.

"The security incident only impacted files pertaining to BlockFi, FTX, and Genesis. There is no evidence that the threat actor moved laterally or gained access to any other Kroll user accounts or systems," the spokesperson said.

However, Kroll has not yet disclosed the sensitive information belonging to the creditors of BlockFi and Genesis that was also exposed during the breach.