Open Exchange Rates discloses a security breach

Pierluigi Paganini March 16, 2020

Last week, Open Exchange Rates disclosed a data breach that exposed the personal information and hashed passwords for customers of its API service.

Last week, the currency data provider Open Exchange Rates has disclosed a data breach that exposed the personal information and salted and hashed passwords for customers of its API service.

Open Exchange Rates provides an API that allows its customers to obtain real-time and historical exchange rates for over 200 world currencies. The APT is used by several companies, including Shopify, Coinbase, and Kickstarter.

The company discovered the security breach while investigating a network issue that caused delays in its services.

The investigation revealed that an unauthorized user had gained access to their network and a database that contained the user data.

“Upon further examination, we determined that the unauthorised user appeared to have initially gained access on 9 February 2020, and could have gained access to a database in which we store user data.” reads the data breach notification. “Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network.”

In response to the incident, Open Exchange Rates has forced a password reset for all accounts created before March 2, 2020.

Open Exchange Rates recommends users to generate new API IDs using the account dashboard to access the service.

The security breach took place on February 9, 2020, and lasted since March 2, 2020, the company is aware that the unauthorized users might have extracted data from its systems due to a network misconfiguration.

The security breach exposed name, email addresses, encrypted/hashed passwords, IP addresses, App IDs (32-character strings used to make requests to our service) associated with users’ accounts, personal and/or business names and addresses for some users, country of residence (if provided, website address (if provided).

Stolen data could be used by threat actors to target organizations with spear-phishing campaigns.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – data breach, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment