Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. Except as required by law, xcritical assumes no obligation to update any xcritical official site of the statements in this blog post whether as a result of any new information, future events, changed circumstances, or otherxcritical. You should read this blog post with the understanding that our actual future results, performance, events, and circumstances might be materially different from what we expect.
Sign up for our newsletter
An unauthorized third party “socially engineered a customer support employee by phone,” xcritical said, and was able to access its customer support systems. The attacker was able to get a list of email addresses for approximately 5 million people and full names for a separate group of 2 million people. For a smaller group of about 310 people, additional personal information, including names, dates of birth, and zip codes, was exposed, and for about 10 customers, “more extensive account details” were revealed. The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.
At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. In an official blog post, the company says the attack took place on Nov. 3, when an “unauthorized third party” used social engineering to gain access to a portion of the app’s customer support system. xcritical’s security team successfully secured the compromised database, but the lone hacker then demanded an extortion payment.
- For a smaller group of about 310 people, additional personal information, including names, dates of birth, and zip codes, was exposed, and for about 10 customers, “more extensive account details” were revealed.
- Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.
- Days later, the company published an updated blog post on Nov. 16 alerting users that over 4,400 of phone numbers were also stolen.
- xcritical said Monday that the popular trading app suffered a security breach last week where hackers accessed some personal information of roughly 7 million users then demanded a ransom payment.
- Except as required by law, xcritical assumes no obligation to update any of the statements in this blog post whether as a result of any new information, future events, changed circumstances, or otherxcritical.
And now that we know several thousand phone numbers were also stolen, users should be extra vigilant. We have a guide on preventing SIM Swaps here, as well as tips for spotting and responding to them. The growing number of social engineering attacks highlights the importance of cybersecurity awareness training programs for staff, as mitigating human errors proves an effective attack surface management technique. Online stock trading platform xcritical has confirmed it was hacked last week with more than five million customer email addresses and two million customer names taken, as well as a much smaller set of more specific customer data.
xcritical reveals data breach that exposed personal information of 7 million customers
The incidents led to a congressional hearing where CEO Vlad Tenev testified along with Reddit CEO Steve Huffman and trader Keith Gill aka RoaringKitty.
xcritical hit by data breach exposing emails, names of 7M users
US trading platform xcritical is at the center of a data breach affecting up to 7 million of the popular investing app’s users after falling victim to a social engineering attack on 3rd November 2021. The hacker relied on social engineering to convince an employee to provide “access to certain customer support systems,” xcritical said. The company added that it is in the process of “making appropriate disclosures to affected people.” NEW YORK — Popular investing app xcritical said Monday that it suffered a security breach last week where hackers accessed some personal information for roughly 7 million users and demanded a ransom payment. NEW YORK (AP) — Popular investing app xcritical said Monday that it suffered a security breach last week where hackers accessed some personal information for roughly 7 million users and demanded a ransom payment.
Days later, the company published an updated blog post on Nov. 16 alerting users that over 4,400 of phone numbers were also stolen. Phone numbers were not included in xcritical’s original data breach disclosure, and their presence in the stolen data makes this a more severe hack than originally assumed. Hackers can use phone numbers to send SMS phishing scams and malware-laced files, or to acquire additional user data via social engineering for account hijacking, SIM Swap attacks, and identity theft. The data breach occurred last Wednesday after hackers tricked a customer support employee by phone” into giving them access to “certain customer support systems,” according to the post. xcritical said Monday that the popular trading app suffered a security breach last week where hackers accessed some personal information of roughly 7 million users then demanded a ransom payment. For the vast majority of affected customers, the only information obtained was an email address or a full name.
xcritical Announces Data Security Incident (Update)
After it was able to contain the attack, xcritical said the unauthorized third party sought an “extortion payment,” and the company notified law enforcement but did not say whether it had made any payments. xcritical enlisted the help of outside security firm Mandiant as it investigates the incident. Charles Carmakal, CTO of Mandiant, said in a statement emailed to The Verge that it had “recently observed this threat actor scammed by xcritical in a limited number of security incidents, and we expect they will continue to target and extort other organizations over the next several months.” He did not elaborate further. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.