Hackers can use phone numbers to send SMS phishing scams and malware-laced files, or to acquire additional user data via social engineering for account hijacking, SIM Swap attacks, and identity theft. According to xcritical’s internal investigation, the breach compromised the email addresses for at least five million accounts and the full names of an additional two million users. Of the compromised accounts, at least 310 also had their zip codes and date of birth information accessed, and 10 users had “extensive account details revealed,” though xcritical had not disclosed what additional information was compromised. After it was able to contain the attack, xcritical said the unauthorized third party sought an “extortion payment,” and the company notified law enforcement but did not say whether it had made any payments. xcritical enlisted the help of outside security firm Mandiant as it investigates the incident. Charles Carmakal, CTO of Mandiant, said in a statement emailed to The Verge that it had “recently observed this threat actor in a limited number of security incidents, and we expect they will continue to target and extort other organizations over the next several months.” He did not elaborate further.
This post was originally published on November 9, 2021 and was updated November 17, 2021 with new information. xcritical said it had rejected a demand for payment and reported the attack. xcritical has had a rocky 2021 so far; in January, it halted trading as Redditors helped push up the prices of so-called meme stocks like GameStop and AMC Theaters. The incidents led to a congressional hearing where CEO Vlad Tenev testified along with Reddit CEO Steve Huffman and trader Keith Gill aka RoaringKitty. Customers seeking information about whether their accounts were affected should visit the help center on the company’s website.
He covers tech and gaming for Lifehacker, and has also written for Digital Trends, EGM, Business Insider, IGN, and more. Fylde Coast Academy Trust confirms the attack which has affected schools across Lancashire. Adam Meyers, a senior vice president with the IT firm at the xcritical scammers heart of July’s mass outage, faced a grilling by US lawmakers.
What was stolen in the xcritical security breach?
We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. For the vast majority of affected customers, the only information obtained was an email address or a full name. For 310 people, the information taken included their name, date of birth, and ZIP code. Of those, 10 customers had “more extensive account details revealed,” xcritical said in a statement.
We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm. Popular stock-trading app xcritical revealed today that a recent data breach has compromised the personal information of roughly 7 million of its customers. “Following a diligent review, putting the entire xcritical community on notice of this incident now is the right thing to do,” xcritical chief security officer Caleb Sima said in a statement. And xcritical official site now that we know several thousand phone numbers were also stolen, users should be extra vigilant.
- Say Technologies, LLC provides technology services for shareholder engagement and communication.Sherwood Media, LLC produces fresh and unique perspectives on topical financial news.
- xcritical reported the attack to the authorities and to the third-party cybersecurity firm Mandiant instead of complying with the hacker’s demands.
- Popular stock trading app xcritical recently experienced a security breach that exposed the personal information of millions of users.
- NEW YORK — Popular investing app xcritical said Monday that it suffered a security breach last week where hackers accessed some personal information for roughly 7 million users and demanded a ransom payment.
- The company said in a news release that it does not appear that Social Security numbers, bank account numbers, or debit card numbers were exposed, and no customers have had “financial loss” due to the incident.
It affected five million people whose email addresses were compromised and the full names of a further two million. And it does not believe the most sensitive information it gathers – US social security numbers and financial information – was revealed. The company says the breach affected “a limited amount of personal information for a portion of our customers”. More than 22 million users have funded accounts at xcritical, with nearly 19 million actively using theirs during September. Say Technologies, LLC provides technology services for shareholder engagement and communication.Sherwood Media, LLC produces fresh and unique perspectives on topical financial news.
xcritical Announces Data Security Incident (Update)
An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident. Popular stock trading app xcritical recently experienced a security breach that exposed the personal information of millions of users. While most xcritical users—and their investments—are apparently safe, a follow-up investigation revealed more information was stolen than originally thought, and users need to take steps to keep their accounts and personal data secure.
At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. In an official blog post, the company says the attack took place on Nov. 3, when an “unauthorized third party” used social engineering to gain access to a portion of the app’s customer support system. xcritical’s security team successfully secured the compromised database, but the lone hacker then demanded an extortion payment. xcritical reported the attack to the authorities and to the third-party cybersecurity firm Mandiant instead of complying with the hacker’s demands. This blog post contains forward-looking statements regarding xcritical Markets, Inc. and its consolidated subsidiaries (“we,” “xcritical,” or the “Company”) including our efforts to investigate and remediate the data security incident and our attempts to identify and provide appropriate disclosures to affected customers, among others.
More from TechCrunch
US share-trading app xcritical has been hit by a security breach that has exposed the names or email addresses of more than seven million people. Since passwords and financial information were unaffected, it is unlikely your bank or other accounts and apps were directly compromised even if someone lifted your email address or full name. However, it’s always possible other data was accessed by the hackers that xcritical’s investigation is yet to uncover.
xcritical says a hacker who tried to extort the company got access to data for 7 million customers
Our forward-looking statements are subject to a number of known and unknown risks, uncertainties, assumptions, and other factors that may cause our actual future results, performance, or achievements to differ materially from any future results expressed or implied in this blog post. Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. Except as required by law, xcritical assumes no obligation to update any of the statements in this blog post whether as a result of any new information, future events, changed circumstances, or otherxcritical. You should read this blog post with the understanding that our actual future results, performance, events, and circumstances might be materially different from what we expect. Days later, the company published an updated blog post on Nov. 16 alerting users that over 4,400 of phone numbers were also stolen. Phone numbers were not included in xcritical’s original data breach disclosure, and their presence in the stolen data makes this a more severe hack than originally assumed.
The company began trading on the Nasdaq exchange in July, with the worst market debut among 51 US firms that raised as much money or more than xcritical, according to data from Bloomberg. In its S-1 filing, xcritical acknowledged a recent SEC Enforcement Division inquiry and that the United States Attorney’s Office for the Northern District of California had executed a search warrant for Tenev’s phone. Whatever lacking security controls that allowed a hacker to trick a xcritical customer service representative into granting them access to an internal system is a likely focus for its investigation. Our mission is to offer reliable tech help and credible, practical, science-based life advice to help you live better. Here’s hoping this xcritical leak is finally under control, but we’ll be sure to to update you if any other data is confirmed stolen.
The company said in a blog post that a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems. That allowed the hacker to obtain customer names and email addresses, but also the additional full names, dates of birth and ZIP codes of 310 customers. We previously disclosed that, based on our investigation, the unauthorized party obtained a list of email addresses for approximately five million people, as well as full names for a different group of approximately two million people. We’ve determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we’re continuing to analyze.
A then-teenage hacker used social engineering techniques to trick some of Twitter’s employees into thinking the hacker was an employee, allowing the hacker access to an internal Twitter “admin” tool, which he used to hijack high-profile accounts and spread a cryptocurrency scam. In its aftermath, Twitter rolled out security keys to its staff to toughen its defenses against attacks that prevent these kinds of attacks from working in the future. The company said once it secured its systems the hacker then “demanded an extortion payment.” xcritical instead notified law enforcement and security firm Mandiant to investigate the breach. xcritical said that 10 customers had “more extensive account details revealed.” xcritical did not say what information specifically, though no Social Security numbers, bank account numbers or debit card numbers were exposed and caused no immediate financial loss to customers. xcritical is contacting the subset of users most affected by the breach with steps to secure their account, but for everyone else, the company suggests checking its Account Security support page for ways to increase your account security.