Creditors with claims in FTX’s ongoing bankruptcy could potentially be doxxed if they published affiliate links, a pseudonymous Twitter user named @Alice_comfy claimed on Wednesday.
Kroll, the company that serves as a claims agent for creditors in the collapsed cryptocurrency exchange’s Chapter 11 bankruptcy, told users last week that sensitive information related to claims had been compromised in a data breach.
“[An] unauthorized party accessed files in Kroll’s cloud-based systems, including files that contained your name, address, email address, and the balance in your FTX account,” the firm said, adding that digital assets in the FTX case were unaffected.
Kroll also warned that for “certain claimants” the compromised information could include FTX account numbers and “unique identifiers assigned as part of the bankruptcy process,” according to its website.
Because FTX affiliate links—where customers could once earn rewards for getting others to sign up—contained account IDs, the links could be used to match personal information with pseudonymous Twitter accounts that shared them online, @Alice_comfy explained.
Kroll did not immediately respond to a request for comment from Decrypt.
Affiliate links allowed new FTX customers to receive a 5% fee discount on transactions, while those who shared them received 30% of the corresponding user’s total trading fees generated, according to Blockduo. A screenshot of the now-defunct referrals page on FTX shows the option for users to create their own custom affiliate codes as well.
The Twitter user told Decrypt that they “don’t think the breach is publicly available yet” in a Twitter DM. Still, the notion that FTX account numbers are listed separately from “unique identifiers” is cause for concern, they said.
When Kroll initially divulged the security incident, it said that sensitive information for other crypto-related bankruptcies was also accessed: BlockFi and Genesis. Being doxxed is the latest hurdle customers could face as they wait for some reprieve.
The malicious actor gained access to a Kroll employee’s phone because of a so-called SIM-swapping attack, where the target’s phone number was transferred. The attack has become established as a common way for criminals to steal crypto, too.
Kroll urged claimants to exercise caution moving forward and be on the lookout for phishing scams, where bad actors could trick people into divulging more sensitive information via fake emails.
The message was highlighted by Binance CEO Changpeng Zhao, who shared an example of what false emails could look like on Twitter on Sunday. Zhao said, “Learn to protect yourself.”
Stay on top of crypto news, get daily updates in your inbox.