How Exploits Are Making Web3 Look more like Web2.5
Data from over 40 crypto-based companies compromised through email service provider.
With malicious hacks, influencer pump-and-dumps, and various exploits it begs the question — are we really in Web3 or Web2.5?
Since January, the Web3 space has seen over $2 billion USD in lost funds and there is one common denominator between most of them, human error or an exploit of Web2 technologies — both things that should not exist in an optimized Web3 world.
Most recently, a major email marketing solution company Klaviyo was exploited through a phishing attack on one of its employees, resulting in over 40 of its client’s databases being compromised. A large majority of these platforms were Web3 based, including NFT marketplace Rarible, crypto wallet platform Edge, intelligence firm Messari, Decrypt, and Swan Bitcoin.
Our email vendor (Klaviyo) experienced a data breach as a result of a phishing attack. Malicious actors have downloaded users’ emails from 38 companies, including Rarible.
Want to learn more about proactively protecting yourself? Read more below. ?https://t.co/2B3D0WGoNs
— Rarible (@rarible) August 9, 2022
On August 7th, Klaviyo, a company we use for email communication, informed us of a security incident that occurred on their systems.
A Klaviyo employee was phished, and 44 companies in the Bitcoin and crypto industries, including Swan, were affected.
Read Cory’s email below. pic.twitter.com/JsXaSGryMB
— Swan.com (@SwanBitcoin) August 10, 2022
“The threat actor used the internal customer support tools to search for primarily crypto-related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information,” read Klaviyo’s blog post on the situation.
In the case of Swan Bitcoin, customers’ compromised data included first names, email addresses, IP-based geolocation data (like identifying cities), as well as information as to how users originally joined the company’s email list.
Additionally, Swan reported that roughly 0.3% of the leaked data included historical USD deposit information, covering a period of before March 2022. It warned users that any emails asking for additional identifying information are likely scams and to be cautious of this.
So why are Web3 companies using Web2 services? A few reasons could be, there isn’t anything better yet, or maybe it’s more cost effective. In the last six months the space has seen people scammed out of their entire wallet contents with one signature approval, contracts lock themselves out of millions of dollars because they put a 1 instead of a 0 in code, and an influential member of the community accidentally purchased an NFT for 150 thousand USD.
Once technology is developed and advanced to a point where these types of exploits and errors no longer exist because of true blockchain based smart contracts and safety protocols — perhaps then we will truly be in Web3.