A massive data breach hit Bitcoin ATM company Byte Federal, compromising user information including their social security number, transaction history, and even photographs. If you’ve done business with Byte Federal it’s time to do more than change your passwords. You need to freeze your credit.

With more than 1,200 locations across the United States, Byte Federal is one of the largest Bitcoin ATM companies in America. For comparison, Bitcoin Depot is the most popular, with more than 8,000 installed machines across the U.S. Bitcoin ATMs solve a problem for the cryptocurrency: it makes it seem normal and easy to use to the average consumer.

According to a data breach notification filed with the Maine Attorney General, Byte Federal discovered it had been breached on November 18. The attack happened on September 30. “Byte Federal became aware of a security breach by a bad actor who gained unauthorized access to one of our servers by exploiting a vulnerability in GitLab, a third-party software platform commonly used by developers worldwide for project management and collaboration with comprehensive security features,” Byte Federal explained in a post on its website.

“Upon discovery of the incident, our team immediately shut down our platform, isolated the bad actor, and secured the compromised server. We also made immediate enhancements to our systems, security, and practices,” Byte Federal said in its Maine data breach notice. The attack affected 58,000 customers.

That meant it reset every customer’s account, forcing them to update their passwords. “We have also updated all of our internal passwords, password management system, tokens and keys for our network to prevent any further unauthorized access,” it said. “With the assistance of an independent cybersecurity team, we are conducting a forensic investigation to determine the cause and the scope of the incident. This investigation is ongoing, and we continue to cooperate with law enforcement in this regard.”

It stressed that no user assets or funds were hit.

While it’s nice that no one’s money was lost, the list of personal information the attackers had access to is bad. It included customers’ “name, birthdate, address, phone number, email address, government-issued ID, social security number, transaction activity, and photographs of users.”

Byte Federal said it had no evidence that any of this personal information was actually leaked in the attack, but that’s cold comfort. The breach happened on September 30 and the company didn’t notice until a full month and a half later. A lot of things can happen in a month and a half.

If you’ve done business with Byte Federal, you should freeze your credit and place a fraud alert on your accounts. To its credit, the company suggested taking these steps in its communication about that hack. Freezing your credit can be a pain in the ass in the short term, but it’s better than someone stealing your identity or opening fraudulent accounts in your name.

Someone looking to freeze their credit should contact each of the three major credit reporting agencies—Equifax, Experian, and TransUnion—and fill out some forms. If you do it online or over the phone, the agencies have to freeze the account within one business day of receiving the request. There’s a federal website that can act as a guide.

This is not the first time hackers have compromised a Bitcoin ATM company. Last year, hackers hit the ATM company General Bytes and made off with $1.5 million. In September of this year, around the time of the Byte Federal breach, the FTC warned that ATM Bitcoin scams had jumped in the last few years.

“FTC Consumer Sentinel Network data show that fraud losses at BTMs are skyrocketing, increasing nearly tenfold from 2020 to 2023, and topping $65 million in just the first half of 2024,” the FTC said. “Since the vast majority of frauds are not reported, this likely reflects only a fraction of the actual harm.”



Source link