CRYPTO.COM
An investigation was initiated to address critical security vulnerabilities affecting Crypto.com accounts, primarily due to the exploitation of compromised email accounts from providers like Yahoo and AOL. The findings revealed that attackers were accessing these accounts and manipulating balances, often targeting smaller accounts for easier exploitation. The report outlined the methods used by hackers, including phishing, social engineering, and the purchase of stolen credentials on underground marketplaces.
The comprehensive report not only detailed these vulnerabilities but also provided actionable recommendations for remediating these issues, emphasizing the need for enhanced verification processes and stronger two-factor authentication measures. Additionally, it highlighted the importance of ongoing monitoring and user education to mitigate risks.
Alongside this investigative effort, the role as a community ambassador for Crypto.com allowed for a deeper engagement with the community, fostering awareness and advocating for improved security practices within the platform.
Many users set their 6-digit passcodes to easily guessable combinations, such as birthdays or simple sequences. This vulnerability is further compounded by the process for resetting passcodes through customer support, which can be manipulated by hackers. The investigation highlighted the need for stricter passcode policies that prevent the use of generic codes and enhance the verification process, thereby safeguarding user accounts from unauthorised access.
The investigation uncovered a significant exploit where hackers, even with 2FA enabled, could bypass this security measure to purchase gift cards using the funds in compromised accounts. This loophole allows attackers to deplete wallets without needing a 2FA code. Additionally, the current login process does not require 2FA verification, making it easier for unauthorized users to access accounts. Implementing mandatory 2FA for all actions and requiring it during sign-ins would greatly enhance account security and protect user assets from theft.
