Open Exchange Rates discloses a security breach

Last week, Open Exchange Rates disclosed a data breach that exposed the personal information and hashed passwords for customers of its API service.

Last week, the currency data provider Open Exchange Rates has disclosed a data breach that exposed the personal information and salted and hashed passwords for customers of its API service.

Open Exchange Rates provides an API that allows its customers to obtain real-time and historical exchange rates for over 200 world currencies. The APT is used by several companies, including Shopify, Coinbase, and Kickstarter.

The company discovered the security breach while investigating a network issue that caused delays in its services.

The investigation revealed that an unauthorized user had gained access to their network and a database that contained the user data.

“Upon further examination, we determined that the unauthorised user appeared to have initially gained access on 9 February 2020, and could have gained access to a database in which we store user data.” reads the data breach notification. “Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network.”

In response to the incident, Open Exchange Rates has forced a password reset for all accounts created before March 2, 2020.

Open Exchange Rates recommends users to generate new API IDs using the account dashboard to access the service.

The security breach took place on February 9, 2020, and lasted since March 2, 2020, the company is aware that the unauthorized users might have extracted data from its systems due to a network misconfiguration.

The security breach exposed name, email addresses, encrypted/hashed passwords, IP addresses, App IDs (32-character strings used to make requests to our service) associated with users’ accounts, personal and/or business names and addresses for some users, country of residence (if provided, website address (if provided).

Stolen data could be used by threat actors to target organizations with spear-phishing campaigns.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – data breach, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.