Fractal.id Breach; Facts from the hacker

# Fractal.id breach; Facts from the hacker *An exclusive interview with the hacker of fractal, [@unicornlover67](https://breachforums.st/Thread-SELLING-FRACTAL-ID-KYC-DATA-WEB3-CRYPTO?highlight=fractal), gave facts on the reality behind the sensitive breach of fractal.id* ![FractalCustomerBuyout 2](https://hackmd.io/_uploads/BJnDmIKOC.png) -- Passports are a headache. A single piece of document can create a series of migraines when parties outside of your control abuse your documents. A whole array of risks is involved in getting your sensitive information leaked: Identity theft, financial fraud, phishing, and social engineering attacks, to name the most common ones. It gets even worse when we're talking about KYC documents from financial institutes; any brute would love to know where someone lives with plenty of money and show up with their machetes. You would assume that organisations taking custody of your sensitive details care about their users more than they care about their own reputation and branding. You would also expect a certain level of transparency rather than masquerading their mistake. Instead of owning up, fractal.id seems to focus more on hiding even more information. Maybe that's something they should have done initially with their user data, preferably before it gets offered for sale on the black-market. Even more preferably, if they have the option to buy it back, making it a gray hack bounty approach, actually starting the communications with the hacker in question. If they care so much about their reputation to hide facts, they would at least be willing to protect their customers by purchasing their sensitive data back. Especially as some of their affected customers can't afford to simply buy out the data themselves. --- *"We were later contacted by a party who claimed responsibility over the attack. They requested a ransom from us. We didn’t engage and reported them to the authorities."* - *Fractal* ([source](https://web.archive.org/web/20240720131354/https://web.fractal.id/fractal-id-data-breach-post-mortem/)) ![FractalCustomerBuyout2 2](https://hackmd.io/_uploads/SJ4cXUYOC.png) ## How did it happen; Per unicornlover67; "i managed to breach effortless due to a worker with admin privs being on botnet logs" "simple as some subdomain recon on kyc providers" ![botnetlogs 2](https://hackmd.io/_uploads/Bk3pE8t_A.png) "they had the aws key in the headers of there pretty much open backoffice" "then i pivoted with an s3 tag exposed on the panel" ![leakedwebpack 2](https://hackmd.io/_uploads/HkRBrLt_C.png) "this login could access the entire panel" **"no 2fa"** ![OpenOfficeProof 2](https://hackmd.io/_uploads/SJXmSIt_C.png) "i hacked 4 of them in 1 day the same way" --- "embarrassing" ![Screenshot 2024-07-20 at 14.53.10 2](https://hackmd.io/_uploads/SyzYS8KO0.png) passwords are displayed as per fractal these should be now disabled: *"We disabled every account in this system before bringing it back up and limited the access to few senior core Fractal ID employees."* ([source](https://web.archive.org/web/20240720131354/https://web.fractal.id/fractal-id-data-breach-post-mortem/)) ## Facts; ### At least 35314 accounts were breached Claim by Fractal.id: "An operator account access credentials were compromised, allowing the attacker to exfiltrate data for ~0.5% of our user base. We regret what happened, and we will do our best to protect affected users." [source](https://web.archive.org/web/20240720131354/https://web.fractal.id/fractal-id-data-breach-post-mortem) **Proof of reality:** ![Screenshot 2024-07-20 at 16.46.41](https://hackmd.io/_uploads/B1xOzItOA.png) Verification File https://tan-musical-dragonfly-486.mypinata.cloud/ipfs/QmVvD7MeJGnvQ2XFrJ6goNhbDEqysBc2UajWxcNvP7vu68 ### Not all partners that were breached have been publiced Fractal claims that only a "few" partners have been affected. here are the names of ALL partners present in the breach (it is unknown to myself how many users per partner, as we do not have the individual user data.); It's important you know if your data is at risk; check the file below to verify if you used any of their partners KYC **Proof of Reality** (excerpt of a few) ![Screenshot 2024-07-20 at 16.40.28](https://hackmd.io/_uploads/SJEk7IYuC.png) Verification File https://tan-musical-dragonfly-486.mypinata.cloud/ipfs/QmVBk4AJz4z7RqSYsWttmgdRyVs2uCRxe3xsFGLPsK5sZR ## What's next [@unicornlover67](https://breachforums.st/Thread-SELLING-FRACTAL-ID-KYC-DATA-WEB3-CRYPTO?highlight=fractal) tried to reachout to anyone within fractal, although they had no ears to award the grayhat bounty. Instead they claimed to push it of as blackmailing. There's still a chance for users to safe their data. Either through a collective approach and buying their own data together (constitution dao variation). Or for Fractal to own up, pay the grayhat bounty. ![OutreachFractal1 2](https://hackmd.io/_uploads/rkk9wLYuR.png) ![OutreachFractal2 2](https://hackmd.io/_uploads/HkhYwLFd0.png) As you can see in the above image, UnicornLover67 even told them directly on how they can avoid this pitfall, not abusing the power situation they were in. Although Fractal is very happy to make him see the "criminal", while them keeping an ex-employee login still in the system ![Screenshot 2024-07-20 at 14.48.48 2](https://hackmd.io/_uploads/H1WMuItuC.png) *Interview written by mf ; https://x.com/0x_m_f*