Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Currency Data Provider ‘Open Exchange Rates’ Discloses Breach

Currency data provider Open Exchange Rates has started informing customers that their information was likely stolen by hackers.

Currency data provider Open Exchange Rates has started informing customers that their information was likely stolen by hackers.

Open Exchange Rates provides a currency data API that is used by over 80,000 web developers. According to its website, companies such as Shopify, Etsy, Kickstarter, Baintree and Coinbase use the API.

In emails sent to affected individuals, the company said hackers obtained a secure access key for its AWS infrastructure from a third-party IT services provider. The attacker then used that key to access Open Exchange Rates’ network, including a database storing user data.

The breach was discovered on March 2, after some of the company’s customers complained that requests to the API were resulting in timeouts. An investigation revealed that an unauthorized user had made changes to the company’s AWS environment.

The attacker apparently gained initial access on February 9, and evidence suggests that they exfiltrated the user database.

Open Exchange Rates said the database contained information such as name, email address, hashed account passwords, IP address, app ID, and, where provided, personal and business name and address, country of residence, and website address.

“There is no evidence to suggest that information relating to you was specifically targeted during the incident. However, our investigations have found that some of your information is contained in this database and therefore would have been accessible to the unauthorized third party,” Open Exchange Rates told customers.

In response to the incident, the company has reset all user passwords and customers have been advised to generate new app IDs, which are used to query exchange rate information from the service.

Advertisement. Scroll to continue reading.

“Our AWS architecture has been designed according to the best practices for secure, high-availability services. This was a sophisticated attack, made possible by a data security breach at a third-party supplier, and we deeply regret that a compromised access key was able to facilitate unauthorised access in this way, resulting in the first security incident in our 8-year history,” the firm said.

SecurityWeek has reached out to the company to find out how many users were affected by the breach.

Related: T-Mobile Notifying Customers of Data Breach

Related: Slickwraps Discloses Data Breach

Related: U.S. Combat Support Agency Discloses 2019 Data Breach

Related: Cruise Operator Carnival Discloses 2019 Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.