Cryptocurrency exchange Liquid suffers security breach, user data exposed

Customers advised to change passwords and enable 2FA following hack.

Graham Cluley
@gcluley

Cryptocurrency exchange Liquid has revealed that it was hacked last week, after a malicious attacker managed to seize control of its DNS records, seized control of some internal email accounts, and gained access to the firm’s document storage infrastructure.

And, as a consequence, personal details of customers may now be in the hands of hackers.

In a blog post, Liquid CEO Mike Kayamori explained that last Friday the cryptocurrency exchange’s domain name hosting service incorrectly transferred control of its DNS records to a hacker.

Sign up to our newsletter
Security news, advice, and tips.

If a hacker manages to seize control of your domain’s DNS records they not only have the power to redirect people attempting to visit your website to a server under their control, but they can also receive emails being sent to your business – and all the sensitive information that that may contain.

It’s certainly an embarrassing turn of events for the Japanese firm which describes itself as “the world’s most comprehensive and secure trading platform”.

From the sound of things, there was a colossal security failure when it came to keeping Liquid’s DNS records out of the hands of unauthorised parties. It’s unclear what additional security measures Liquid and its DNS provider may have had in place to make it harder for such a disastrous sequence of events to occur.

But what we do know from Liquid’s blog post is that the consequences of the security breach could be very serious, putting customers at the risk of phishing, fraud, and identity theft:

We believe the malicious actor was able to obtain personal information from our user database. This may include data such as your email, name, address and encrypted password.

We are continuing to investigate whether the malicious actor also obtained access to personal documents provided for KYC (Know-Your-Customer) such as ID, selfie and proof of address, and will provide an update once the investigation has concluded.

Fortunately, Liquid says that all client funds are “accounted for, and remain safe and secure. MPC-based and cold storage crypto wallets are secured and were not compromised.”

Liquid is recommending that all of its customers change their passwords and ensure two-factor authentication (2FA) is enabled as soon as possible. As I have explained many times before, if you are changing your password – make sure that you are not using the same password anywhere else on the internet, and that you are also choosing a strong, hard-to-crack password.

For the last word, here is Liquid CEO Mike Kayamori again:

“We are extremely embarrassed at this compromise of personal information that commenced with a breach external to Liquid. We have always taken pride in our security of client data & assets to date, and this incident will encourage Liquid more than ever to raise the bar.”

“Once again, I apologize deeply for this humbling data breach and the loss of confidence that you may have. I assure you that we will be better and stronger and appreciate your continued support of Liquid.”

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.