Data breach raises questions about Fractal ID’s decentralized identity architecture

A data breach at decentralized digital identity verification provider Fractal ID has exposed the ID documents and facial images of thousands of users and sparked online criticism of the company. A hacker gained unauthorized access to a platform operator’s account, and ran an API script for about 2 hours and 15 minutes last Sunday, according to the public breach notification.

Fractal ID has over 1 million users, according to its website, and the breach affected 0.5 percent, meaning 5 thousand of them. The company confirmed in an email to Biometric Update that about 6,3000 of 1.1 million users were affected.

The breached data includes users’ names, email addresses, digital wallet addresses, physical addresses, phone numbers, facial images and uploaded photos of documents like passports and driver’s licenses.

The company says it first contacted affected users and took immediate steps to mitigate the breach’s impact, and has now implemented additional security measures. The relevant data protection authorities and police have been contacted. Clients’ systems are unaffected, Fractal ID says.

The lack of centralized data repositories that function as honeypots drawing the attention of malicious actors is one of the main selling points for decentralized digital identity. Fractal ID refers to “selective data access and revocations at a user level” on its website, and is also a building partner of decentralized storage platform idOS, which raises questions about how the operator account was able to access so many records.

“Data breaches can result in the accessed data being shared with third parties or used for commercial purposes,” the company states. “We encourage affected users to be cautious of unsolicited communications requesting additional personal information.”

But skilled hackers in possession of the breached data likely have all the personal information they need to carry out fraud in the name of Fractal ID users.

This post was updated at 4:59pm Eastern on July 18, 2024 to correct the number of users affected.

Article Topics

data protection  |  decentralized ID  |  face biometrics  |  Fractal ID  |  identity document