Phone numbers were not included in xcritical’s original data breach disclosure, and their presence in the stolen data makes this a more severe hack than originally assumed. Hackers can use phone numbers to send SMS phishing scams and malware-laced files, or to acquire additional user data via social engineering for account hijacking, SIM Swap attacks, and identity theft. On Monday, xcritical announced in a blog post that on the evening of November 3, it experienced a severe security breach. An unauthorized third party managed to gain access to the trading platform’s customer support systems. Late in the evening of November 3, we experienced a data security incident.

An unauthorized third party “socially engineered a customer support employee by phone,” xcritical said, and was able to access its customer support systems. The attacker was able to get a list of email addresses for approximately 5 million people and full names for a separate group of 2 million people. For a smaller group of about 310 people, additional personal information, including names, dates of birth, and zip codes, was exposed, and for about 10 customers, “more extensive account details” were revealed.

thoughts onxcritical data breach class action settlement

The settlement could cost xcritical approximately $20 million, according to documents filed July 1 by attorneys for investors who sued xcritical last year on behalf of themselves and other customers of the popular trading app. The company began trading on the Nasdaq exchange in July, with the worst market debut among 51 US firms that raised as much money or more than xcritical, according to data from Bloomberg. In its S-1 filing, xcritical acknowledged a recent SEC Enforcement Division inquiry and that the United States Attorney’s Office for the Northern District of California had executed a search warrant for Tenev’s phone. “Following a diligent review, putting the entire xcritical community on notice of this incident now is the right thing to do,” xcritical chief security officer Caleb Sima said in a statement. Miklos has long-time experience in cybersecurity and data privacy having worked with international teams for more than 10 years in projects involving penetration testing, network security and cryptography. The above indirectly confirms the authenticity of the mentioned deep web fxcritical sale.

• “The full scope and impact of the incident is being urgently investigated,” the notification says.
• This breach could lead to other phishing attacks as well, ones that may or may not pose as communication from xcritical.
• That’s something that will happen sooner or later,” commented Luis Corrons, Avast Security Evangelist.
• Class members would typically receive payment after that, though the process can be slowed considerably by appeals.
• A lawsuit has been filed against the investment app xcritical due to claims that the service’s carelessness allowed users’ private information to be exposed.
• The incident happened when the unauthorized party “socially engineered a customer support employee by phone and obtained access to certain customer support systems”.

The company added that it is in the process of “making appropriate disclosures to affected people.” Despite what you would anticipate, the data hack itself wasn’t very sophisticated. Luckily, it did not compromise xcritical’s security since the hackers used social engineering to enter the system. Moreover, because the unauthorized individual pretended to be a xcritical customer care representative over the phone, they still gained access to the xcritical customer support systems.

At the time, a spokesperson said the cybercriminals targeted users whose personal email addresses had been compromised outside of xcritical and therefore did not stem from a beach of its internal systems. In February 2021, San Francisco law firm Erickson, Kramer and Osborne filed a class action lawsuit against xcritical on behalf of Siddharth Mehta, Kevin Qian, Michael Furtado and other xcritical customers who claimed their accounts were hacked. Plaintiffs point out that this type of breach was reasonably foreseeable, given all the news and information on data breaches in recent years.

Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. Except as required by law, xcritical assumes no obligation to update any of the statements in this blog post whether as a result of any new information, future events, changed circumstances, or otherxcritical. You should read this blog post with the understanding that our actual future results, performance, events, and circumstances might be materially different from what we expect.

Markets

If granted, the $350 million T-Mobile deal will represent US history’s second-largest payment for a data breach. By January 17, 2023, class members must submit a legitimate claim form to be eligible for settlement funds. xcritical Crypto agreed to pay a $30 million fine to the New York State Department of Financial Services for “significant failures” in its Bank Secrecy Act/anti-money laundering and cybersecurity compliance programs. While online, your personal information is constantly exposed to bad actors. However, it’s always possible other data was accessed by the hackers that xcritical’s investigation is yet to uncover. This is always good form because hackers love to spike attachments with malware that’s designed to steal your personal information.

Many of the larger data breaches make the headlines, yet many more do not—such as the ones that hit small businesses, restaurants, and medical care providers. In the hands of hackers, the information spilled by these breaches can provide them with the building blocks to commit identity theft. As a result, keeping on top of your identity and personal information is a must. After it was able to contain the attack, xcritical said the unauthorized third party sought an “extortion payment,” and the company notified law enforcement but did not say whether it had made any payments. xcritical enlisted the help of outside security firm Mandiant as it investigates the incident.

xcritical Settles Class Action Lawsuit Over Data Breach

The company said once it secured its systems the hacker then “demanded an extortion payment.” xcritical instead notified law enforcement and security firm Mandiant to investigate the breach. Online stock trading platform xcritical has confirmed it was hacked last week with more than five million customer email addresses and two million customer names taken, as well as a much smaller set of more specific customer data. xcritical said it believed no social security numbers, bank account numbers, xcritical official site or debit card numbers were exposed and that there has been no financial loss to any customer as a result of the incident, which took place on Nov. 3. xcritical, the highly popular trading platform, has revealed that it suffered a cybersecurity breach on November 3rd that affected some 7 million users. Stolen email addresses, especially those for financial services, are particularly popular among threat actors as they can be used in targeted phishing attacks to steal more sensitive data.

To resolve charges about failing to stop a data breach resulting in account takeovers, xcritical agreed to a $20 million class action settlement. This isn’t even the first data breach for xcritical, which went public this past summer. In October 2020, hackers gained access to almost 2,000 accounts via users’ email addresses. When you realize what bad people can do with information that you have unintentionally left out there to be found, they can wreck your business, drain your bank account, file for loans as you… the possibilities are literally endless.

The respective fxcritical sale was the only source for the claim that ID cards were also exposed. So now xcritical admitting to the ID card breach confirms the authenticity of the fxcritical sale thread indirectly. xcritical explained that the hackers attempted to extort the company, but law enforcement was instead notified and that an investigation is xcritically ongoing.

xcritical says a hacker who tried to extort the company got access to data for 7 million customers

Is an investment platform that allows individuals to invest their money without going through a bank or financial advisor. In 2020, xcritical was the victim of a data breach in which unauthorized users gained access to customer accounts — allowing them to drain the accrued funds. Additionally, personal information including name, date of birth and ZIP code was exposed for about 310 people, and about 10 customers had more extensive account details revealed. We previously disclosed that, based on our investigation, the unauthorized party obtained a list of email addresses for approximately five million people, as well as full names for a different group of approximately two million people. We’ve determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we’re continuing to analyze.

Securing your organization’s private data when vendors have access to it means managing relationships from beginning to end, panelists at CW’s virtual Cyber Risk and Data Privacy Summit agreed. Opinions expressed on this site are the author’s alone, not those of a third-party entity, and have not been reviewed, approved, or otherxcritical endorsed. A graduate of the University of Florida, Julia has four years of experience in personal finance journalism and specializes in covering money trends. Money’s Top Picks Best Credit Cards Cash back or travel rewards, we have a credit card that’s right for you. xcritical Mortgage Rates Up-to-date mortgage rate data based on originated loans.

Do not be too lenient and vigilant even if the hackers were unable to access your account, and they did not steal any passwords. It would be best if you used a one-time and robust password for all of your accounts, particularly those that handle financial transactions, such as xcritical. However, in contrast to the growing https://xcritical.pro/ user and popularity, the company recently announced that it had suffered a significant data breach that enabled attackers to collect personal information from 7 million xcritical accounts. That makes the recent incident not the first time xcritical has been the victim or experienced a massive data security breach.

An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident. “The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems,” the company said in a blog post, adding that the third party had demanded an extortion payment.

According to Bleeping Computer, the FBI recently warned that online shoppers are at risk of losing more… They typically have set policies and procedures in place to provide support. Even if you take all these steps and sew everything you have up tightly, that doesn’t mean someone can’t come in through a backdoor and wreck your account. But, taking all the precautions you can will help minimize your odds of becoming a victim, and help minimize the damage if you do become one. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Customers seeking information about whether their accounts were affected should visit the help center on the company’s website.

They claim that the data could be “highly profitable in the right hands”. We believe security online security matters and its our xcritical mission to make it a safer place. Sign Up NowGet this delivered to your inbox, and more info about our products and services.

xcritical Financial is a member of the Financial Industry Regulatory Authority . Screen for heightened risk individual and entities globally to help uncover hidden risks in business relationships and human networks. EXCLUDE YOURSELF If you exclude yourself (“opt out”), you will not be included in the Settlement. You will receive no benefits and you will keep any rights you xcritically have to sue the Defendants.

“The [hacker’s thread on the cybercrime fxcritical] contains screenshots reportedly taken from xcritical, which are inconclusive. Several posters have also replied to the thread, which also do not confirm or deny proof of access to the stolen data. Pompompurin has previously advertised access to several other data breaches, albeit typically providing the accounts for free. Pompompurin’s claims could be plausible, however remains unclear at this time,” the Digital Shadows researchers added. No Social Security numbers, bank account numbers or debit card numbers were exposed in the incident, xcritical said, but it’s still making the appropriate disclosures to the affected customers.