BlockFi Says Hacker SIM-Swapped Employee’s Phone, No Funds Were Lost

BlockFi said an attacker got hold of users’ data by compromising an employee’s phone and taking control of the person’s phone number through a SIM swap attack.

The New York-based crypto lending platform announced in a memo to users on Tuesday that a hacker – whose identity remains unknown – gained access to some of its retail marketing systems for just over an hour early on May 14.

“On May 14, there was a data incident at BlockFi that exposed certain client account information for a brief period of time. While no information was accessed that would enable the intruder to access your account or your funds, we believe it is in the interest of transparency to share the following details with you, and all of our other clients who were potentially affected,” reads the memo, which was shared with CoinDesk.

BlockFi said the hacker accessed confidential data, such as names, dates of birth, postal addresses and activity histories. Other sensitive account information including bank account details, social security and tax identification numbers, passport and driver’s license numbers and photo scans, were not affected in the data breach, the company said.

User funds were also not affected.

In an incident report, also published Tuesday, BlockFi said the hacker had accessed through an employee’s phone. By tricking the mobile phone operator into activating the employee’s phone number on another device, the hacker was able to access some parts of the company’s internal systems.

“A BlockFi employee’s phone number was breached and utilized by an unauthorized third party to access a portion of BlockFi’s encrypted back-office system,” the incident report reads. “The unauthorized third party was able to access BlockFi client information typically used by BlockFi for retail marketing purposes throughout the duration of this incident.”

The report adds the hacker tried, unsuccessfully, to make withdrawals of user funds, before BlockFi was finally able to remove them from the internal system.

In a statement, a BlockFi spokesperson said: “A sole intruder gained minimal access for a short period of time to select internal marketing systems. The BlockFi team immediately mitigated the impact of the breach through a number of standing policies and safeguards in place to protect client assets and data.”

“The issue has since been resolved and BlockFi’s products and services are fully operational and secure,” the spokesperson added.

The spokesperson did not specify which mobile network the employee used.