Paxful denies reports of customer data leak

A spokesperson from the crypto trading platform clarified that no leaks pertained to sensitive customer info.

An anonymous online source was recently spotted trying to sell private customer and employee data allegedly obtained from crypto exchange Paxful. A spokesperson from the company told Cointelegraph that no customer data has been jeopardized, however.

“Our customers’ data has not been compromised in any way,” said the spokesperson on Friday. “There has been no data breach of the Paxful platform,” they noted, adding:

“The employee data that the person claims to have was obtained illegally from a third party supplier that Paxful previously used; Paxful terminated its contract with this supplier in September 2020. We have taken measures to ensure that our employees are not impacted by this event and we’re continuing to actively monitor the situation as a precautionary measure.”

On Friday, someone posted a message in a Russian-language Telegram channel titled "Information leaks" that read, "A dump of the database of registered users and employees of the paxful.com P2P cryptocurrency trading platform has been put up for sale on the English-speaking shadow forum.”

The post noted phone numbers, names and addresses as well as other private information that was supposedly apprehended and made available for purchase as part of a “dump” that purportedly boasted more than “4.8 million entries.”

Hacks and data leaks are unfortunately not uncommon in a world growing more accustomed to technology. Facebook recently suffered a hack that compromised the data of more than 500,000 customers. Millions were affected by the notorious Equifax leak of 2017. Crypto hardware wallet company Ledger also suffered data hack troubles in 2020.

Peer-to-peer Bitcoin exchange Paxful says that its user data has not been leaked, despite claims to the contrary by an individual attempting to sell the supposedly stoen data.

Stolen Data Is Not User Records

A member of the stolen data marketplace RaidForums recently put up for sale a database supposedly containing information on 4.8 million Paxful customers and staff. That data would contain the names, birth dates, and contact information of Paxful’s users.

However, it appears the data for sale does not actually exist. Ray Youssef, CEO of Paxful, stated on Twitter that “all funds and identities are safe.” He added that “no user data was leaked [and] no breach was ever made [against] our users. Ignore the FUD.”

He asserted that the leaked data was in actual fact “old employee records from a payroll site we no longer use.”

It seems likely that Youssef’s account is correct. According to Decrypt, potential buyers of the allegedly stolen data were unwilling to pay because Paxful had not reported a breach. RaidForums administrators reportedly tagged the sale as suspicious as well.

Was Any Data Stolen?

Though Paxful might not have been attacked, crypto companies are frequent targets of data theft. In 2021 alone, KeepChange and BuyUCoin both saw data leaks. In previous years, Ledger, Poloniex, BitMEX and BTC Markets have also had user data exposed.

Data leaks, both actual and imagined, could encourage some users to move to decentralized exchanges that do not store user records.

However, even that is not enough to solve the problem, given that non-crypto websites can also be hacked. According to Wikipedia, over 350 companies have experienced user data breaches since 2004, including big tech companies like Yahoo and Facebook.

Disclaimer: At the time of writing this author held less than $75 of Bitcoin, Ethereum, and altcoins.

Paxful