Liquid, one of today’s top 20 cryptocurrency exchange portals, has disclosed a security breach on Wednesday.
In a blog post on its website, the company said that last week, on Friday, November 13, a hacker managed to breach employee email accounts and pivot to its internal network.
The company said it detected the intrusion before the hacker stole any funds, but a subsequent investigation revealed that the attacker was able to collect personal information from Liquid’s database that stored user details.
Stolen information included real name, home address, emails, and encrypted passwords.
Liquid CEO Mike Kayamori said the company is still investigating if the intruder was able to steal proofs-of-identity that all users must provide when making their first transaction on the platform.
“We do not believe there is an immediate threat to your account due to our use of strong password encryption. Nevertheless, we recommend that all Liquid customers change their password and 2FA credentials at the earliest convenience,” Kayamori said.
Another social engineering attack leading to a DNS hijack
The company blamed the intrusion on its domain name provider, which fell victim to a social engineering attack and incorrectly transferred Liquid’s account to the hacker.
Immediately after gaining control of this account, Liquid said the attacker hijacked the company’s DNS records, pointing incoming traffic to a server under their control.
The hacker is believed to have used access over the company’s DNS records to redirect employees to fake login pages and collect their work email credentials, which they later used to access employee work email accounts, and later pivot to Liquid’s internal infrastructure.
DNS hijacking attacks like these are bold, but they have also been very common against cryptocurrency services over the past few years. For example: