Crypto Loans Firm Left Thousands of Users' Financial Data Exposed

Crypto loans platform YouHodler left a database with millions of logs containing users' private financial data unprotected, researchers found.

AccessTimeIconJul 25, 2019 at 11:40 a.m. UTC
Updated Sep 13, 2021 at 11:14 a.m. UTC

Cryptocurrency loans platform YouHodler left millions of records containing private financial data from thousands of users exposed online, researchers found.

In a blog post, vpnMentor said its research team, led by Noam Rotem and Ran Locar, discovered a database leak as part of their web-mapping project and traced it back to YouHodler.

The data, they found, exposed comes to more then 86 million records that includes users’ names, email addresses, home addresses, phone numbers and birthdays. It gets worse. Credit card numbers, CVV numbers, bank details and crypto wallet addresses were also exposed in the data.

"The implications of this breach are extensive," said the firm.

VpnMentor said it had contacted YouHodler on July 22, which responded a day later and fixed the issue.

YouHodler's website indicates that it has served over 3,500 customers and provided over $10 million in loans.

In its own blog post on the breach, YouHodler claimed the exposed files "did not contain any sensitive information and no one was affected."

The first part of that statement flies in the face of the researchers' findings, however. Rotem and Locar provided screengrabs of the data (with portions hidden to conceal user data) that seem to back up the claim that they were able to find CCVs (top image) and card numbers (bottom image) in the logs.


The team said "The first example shows that we still found all of the details needed to take full control of the card – including CVV numbers."

They added that, while the card holder’s name isn’t displayed in either of these logs, "numerous other records stored both names and credit card numbers together."

The researchers further found data allowing them to link users' names to bitcoin wallet addresses.

According to vpnMentor:

"The nature of the data that leaked from YouHodler’s database could have serious consequences. Any platform that stores credit card data should be taking several security precautions. If YouHodler only stored the BIN and last four digits of user credit cards, there wouldn’t be as much of an impact in this regard."

YouHodler said that it "understands user data is potentially at risk of being compromised from outside the platform," continuing:

"We do our best to prevent that from happening by implementing two-factor authentication and email verification. We are sure that all security settings are checked and renewed and there’re no vulnerabilities in our systems."

It seems its "best" wasn't good enough in this case.

Data image via Shutterstock; screengrabs courtesy of vpnMentor


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.