We want to share an update on the data breach attack that Fractal ID suffered on Sunday, July 14th. During the last week and a half, we have been actively engaging with affected users, our partners, the authorities and external cybersecurity support to come up with a shared understanding, and detail the next steps that Fractal ID will be following, to make sure a similar incident cannot happen in the future.

Update on the incident

Below, we are addressing some common questions from the wider community regarding the incident. For a detailed post-mortem on the incident, please read our previous blog post.

How many users were impacted by the attack?

• Our team has been working relentlessly to assess the impact of the attack. After our internal analysis and review of our logs, we are confident the attack on July 14th, 2024 impacted 6.3k users (~0.5% of the user base). 
• The monitoring systems check the rate at which an operator can access specific data, and there were no flags of unusual behavior prior to what was executed by the attacker on July 14th. Our system logs monitor operator activity for the previous 30 days. Suspicious activity prior these 30 days would have led to the same signal that allowed us to discover this attack.
• We have since hired Resonance, a cybersecurity agency, to conduct an external audit of the incident to confirm the exact number of impacted accounts. We expect to receive the independent analysis to validate the impact of the exploit in the coming days and will confirm the number of impacted accounts based on this external evaluation.
• In addition, Resonance will help us and identify the needed improvements to further increase Fractal ID’s security. 

What support is being provided to users whose data was stolen?

• Limiting the impact of the data breach is our main priority. We are committing all of our resources to conducting an external assessment, improving the security of the Fractal ID system, and doing all that we can to try to limit the negative impacts for users whose data was leaked.
• We are offering a complimentary two-year subscription to an online identity and credit monitoring service to all relevant impacted users. Please reach us on help@fractal.id if you would like to enroll in this service, or if you think we can help you with anything else.
• In addition to working closely with the German authorities to monitor and limit the spread of user data and initiate criminal investigations into the attack. 

Why is Fractal ID storing PII data?

• Financial service providers and other regulated entities are required to verify user identities in compliance with KYC/AML laws. Regulators worldwide require providers to be able to present this data if audited or needed to identify an individual or entity suspected of illicit financial activity.  
• This obligation has traditionally been solved by requiring KYC solutions like Fractal ID to store this data centrally. Fractal ID retains user data to satisfy our client’s regulatory needs.  

Looking Forward 

We are listening closely to the community, our partners and those impacted by the data breach. We know that action and accountability are critical. As a result of the recent exploit, we are strengthening the security of our systems and implementing pivotal changes in how we store and process data. For seven years, we at Fractal ID have been steadfast in our convictions to build a better identity solution, and the recent attack has affirmed our belief in the need for better KYC practices in web3. In the coming days, we will share more on the pivotal changes coming to Fractal ID. We are grateful for the support of our partners and the patience of the community as we work to immediately contain the impact of the data breach and build a better solution for the future.