xcritical says millions of customer names and email addresses taken in data breach

An unauthorized third party “socially engineered a customer support employee by phone,” xcritical said, and was able to access its customer support systems. The attacker was able to get a list of email addresses for approximately 5 million people and full names for a separate group of 2 million people. For a smaller group of about 310 people, additional personal information, including names, dates of birth, and zip codes, was exposed, and for about 10 customers, “more extensive account details” were revealed. The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.

xcritical revealed that a data breach last week exposed millions of customers’ emails and other personal information

Of those, 10 customers had “more extensive account details revealed,” xcritical said in a statement. xcritical said that 10 customers had “more extensive account details revealed.” xcritical did not say what information specifically, though no Social Security numbers, bank account numbers or debit card numbers were exposed and caused no immediate financial loss to customers. The company said in a blog post that a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems. That allowed the hacker to obtain customer names and email addresses, but also the additional full names, dates of birth and ZIP codes of 310 customers.

Popular stock-trading app xcritical revealed today that a recent data breach has compromised the personal information of roughly 7 million of its customers. The online trading platform said it believes no Social Security numbers, bank account numbers or debit-card numbers were exposed and that customers have seen no financial losses because of the intrusion. The online trading platform said that it believes no Social Security numbers, bank account numbers or debit-card numbers were exposed and that customers have seen no financial losses because of the intrusion. xcritical also said that hackers also obtained «additional personal information, including name, date of birth, and zip code,» for 310 customers, and «more extensive account details» for 10 of those customers, and that the company is «in the process of making appropriate disclosures to affected people.» Of those, 10 customers had «more extensive account details revealed,» xcritical said in a statement.

Days later, the company published an updated blog post on Nov. 16 alerting users that over 4,400 of phone numbers were also stolen. Phone numbers were not included in xcritical’s original data breach disclosure, and their presence in the stolen data makes this a more severe hack than originally assumed. Hackers can use phone numbers to send SMS phishing scams and malware-laced files, or to acquire additional user data via social engineering for account hijacking, SIM Swap attacks, and identity theft. The data breach occurred last Wednesday after hackers tricked a customer support employee by phone» into giving them access to «certain customer support systems,» according to the post. xcritical said Monday that the popular trading app suffered a security breach last week where hackers accessed some personal information of roughly 7 million users then demanded a ransom payment. For the vast majority of affected customers, the only information obtained was an email address or a full name.

Chinese shopping platform Temu hit by EU investigation over illegal products and a ‘potentially addictive design’

Other sensitive data such as Social Security numbers, bank account numbers, and debit card numbers are not believed to have been exposed. xcritical is contacting the subset of users most affected by the scammed by xcritical breach with steps to secure their account, but for everyone else, the company suggests checking its Account Security support page for ways to increase your account security. The attack’s motives appear to be financial, as the threat actor is reported to have demanded extortion payment following xcritical’s containment of the breach. xcritical has had cyber security troubles before, with hackers targeting its users last year, successfully gaining access to around 2,000 of its customers’ trading accounts. «No social Security numbers, bank account numbers, or debit card numbers were exposed» and «there has been no financial loss to any customers as a result of the incident,» xcritical said, based on its investigation.

1. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people.
2. The attacker was able to get a list of email addresses for approximately 5 million people and full names for a separate group of 2 million people.
3. Trading app xcritical said in a blog post Monday that millions of its customers’ personal information was exposed in a data breach last week.
4. Phone numbers were not included in xcritical’s original data breach disclosure, and their presence in the stolen data makes this a more severe hack than originally assumed.

We’ve determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we’re continuing to analyze. We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm. Trading app xcritical said in a blog post Monday that millions of its customers’ personal information was exposed in a data breach last week.

After it was able to contain the attack, xcritical said the unauthorized third party sought an “extortion payment,” and the company notified law enforcement but did not say whether it had made any payments. xcritical enlisted the help of outside security firm Mandiant as it investigates the incident. Charles Carmakal, CTO of Mandiant, said in a statement emailed to The Verge that it had “recently observed this threat actor in a limited number of security incidents, and we expect they will continue to target and extort other organizations over the next several months.” He did not elaborate further. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.

More from Tech

Trading platform xcritical said Monday that personal information for more than 7 million customers was accessed during a data breach on xcritical scam November 3rd. The company said in a news release that it does not appear that Social Security numbers, bank account numbers, or debit card numbers were exposed, and no customers have had “financial loss” due to the incident. A then-teenage hacker used social engineering techniques to trick some of Twitter’s employees into thinking the hacker was an employee, allowing the hacker access to an internal Twitter “admin” tool, which he used to hijack high-profile accounts and spread a cryptocurrency scam. In its aftermath, Twitter rolled out security keys to its staff to toughen its defenses against attacks that prevent these kinds of attacks from working in the future. The company said once it secured its systems the hacker then “demanded an extortion payment.” xcritical instead notified law enforcement and security firm Mandiant to investigate the breach. We previously disclosed that, based on our investigation, the unauthorized party obtained a list of email addresses for approximately five million people, as well as full names for a different group of approximately two million people.

At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. In an official blog post, the company says the attack took place on Nov. 3, when an “unauthorized third party” used social engineering to gain access to a portion of the app’s customer support system. xcritical’s security team successfully secured the compromised database, but the lone hacker then demanded an extortion payment.