Compromised Data Of 5.7M Gemini Crypto Exchange Users Given Away On Hacking Forums

compromised data 5 7m gemini crypto exchange users sale hacking forums news
Gemini, the cryptocurrency exchange founded by the Winklevoss twins, published a blog post this week warning about phishing campaigns targeting its customers. These phishing campaigns are likely related to a previously undisclosed data breach that exposed the email addresses of the exchange’s 5.7 million customers. Gemini states that this security incident occurred at a third-party vendor, not the exchange itself. The blog post aims to reassure customers by clarifying that this incident did not impact “Gemini account information or systems” and that “all funds and customer accounts remain secure.”

The third-party vendor that suffered a data breach has yet to be named. Cybercriminals have attempted to sell the database multiple times on hacker forums, but have not provided many details in their posts. The stolen database first appeared for sale back in September, with the seller asking for thirty Bitcoin (~$670K at Bitcoin’s height that month) in exchange for a list of Gemini customers’ emails and partial phone numbers. The database was listed for sale two more times under different usernames, once in October and once in November.

breachforums post publishing stolen gemini customer data news
BreachForums post listing Gemini customer information for download

Then, on Tuesday of this this week, someone posted the entire stolen database for free on Breach Forums. It’s unclear whether this individual previously attempted to sell the database but was unsuccessful, covertly purchased it, or otherwise obtained it through some other means. We also still don’t know when the data breach occurred, though the second post attempting to sell the database claimed it was obtained in September.

Regardless, the personal information of Gemini’s 5.7 million customers is now publicly available online. According to the Breach Forums post, the stolen database includes customer’s email addresses, partial phone numbers, and partial Social Security numbers. The post states that the database is missing the middle three digits of customers’ Social Security numbers, but doesn’t specify what makes the phone numbers incomplete.

While, Gemini’s blog post doesn’t offer any details about the data breach, it does offer some recommended steps that customers can take to protect their accounts in light of the ongoing phishing campaigns. The first of these recommendations is for customers to change the email addresses associated with their accounts. Since the threat actors conducting phishing campaigns are contacting customers at the email addresses revealed in the data breach, associating different email addresses with Gemini could help users identify phishing attacks. Once a new email address is set, legitimate emails from Gemini should be sent to that address going forward, while the phishing emails will still be sent to the old address.

Threat actors may also attempt to conduct credential stuffing attacks on Gemini customers by cross-referencing their email addresses with other data breaches to source passwords. Gemini accounts “protected” by passwords re-used across multiple accounts could then be breached. Thus, Gemini customers without strong, unique passwords protecting their accounts should change their passwords. and potentially their email addresses as well, to ensure that threat actors can’t obtain their login credentials through prior data breaches. Two-factor authentication (2FA) is an additional recommended security measure that Gemini customers can enable on their accounts to ensure that this data breach doesn’t escalate to unauthorized account access.