Data of millions of Vietnamese investors on virtual currency app leaked
A hacker has offered for sale the data of millions of users of ONUS - one of the most popular cryptocurrency investment applications developed by Vietnamese.
The information was posted on R***forums, where hackers often trade and share data. Previously, many cases of data leaks were revealed on this site.
According to the post by an account called “vndcio” created in December 2021, the hacker broke into the server of Goonus.io, the official website of ONUS and got data of about 2 million ONUS users.
The data includes the first and last name, email, all the information on the identity card, and a picture and video of the face of the victims. These are the data used for eKYC (electronic authentication) of ONUS users.
To prove it, the hacker gave detailed information about identity cards, passports, and authentic videos of some victims who are users from Vietnam, India and Indonesia. All information was shared in the form of unencrypted images and videos.
According to the hacker, after exporting the data, he deleted the files stored on ONUS's server. As a result, the developer of the app lost their user's eKYC data. The hacker did not set a price for the data package but he left an email.
The hacker gave detailed information about identity cards, passports, and authentic videos of some victims who are users from Vietnam, India and Indonesia.
The ONUS application, formerly VNDC, was launched on March 23, 2020. After 18 months of operation, ONUS is now one of the most used digital investment applications in Vietnam with more than 1.5 million downloads.
About 90% of ONUS users come from Vietnam, and the remaining are from Nigeria, India, the Philippines, Indonesia, among others.
Mr. Tran Quang Chien - CEO of ONUS - told VietNamNet that several days before the hacker released the information about this case, ONUS had informed its users about the issue. The case was due to the shortcomings of ONUS in updating the patch for the Log4Shell vulnerability, which is considered the most dangerous vulnerability of the decade and was discovered recently.
The Log4Shell vulnerability was found in the log4j file - a file that records the activity (log) of applications. Log4j is used on a wide range of servers around the world. Many large corporations and technology firms such as Alibaba, Minecraft or even Apple, Amazon, and Twitter are said to be more or less affected by this vulnerability.
For ONUS, after exploiting this vulnerability, hackers were able to access the configuration information of the data storage system (Amazon S3). The data leaked is some of the customer's personal information, including the name, email address, phone number, KYC data, transaction history and many other encrypted data. ONUS has already notified our customers and advised them to change their password on the app.
Chien said that the company is focusing on reviewing and upgrading the system's safety and security in order to protect the rights of users. According to him, a large amount of ONUS data was deleted and the firm is trying to recover it. However, the operation of the ONUS application is still normal, except that at times it is overloaded due to the large number of new users.
He affirmed that the digital assets of users are not affected and the company has committed to pay 100% compensation if users' assets are lost from security issues related to ONUS's fault.
“We have a budget of 5 million USD to compensate for the loss of user assets at ONUS. However, we have not received any compensation requests from users,” Chien said.
Chien revealed that this app has nearly 2 million users, about 80% from Vietnam.
“This incident is a big lesson for ONUS and we will definitely work harder to improve security in our application. ONUS's plan remains unchanged with the goal of helping 10 million people around the world access the Blockchain world,” he added.
Digital asset investment platform from Vietnam - ONUS - has reached 1.5 million people in just 18 months.