PSA: Casa and Nunchuk were breached and their data is currently being sold
Login to reply
Replies (26)
Link?
Holy cow
π¬
Yep
No place is safe when you use a third party
RIP lol
Fascinating. Link?
nostr:nevent1qqs8v9h2d0vhw42nga2jhckmvfsxxps29g2ulcwtsftkwmc3l45kxks962h3p
π€
Casa was always sketchy lol
Nunchuk is a transaction coordinator for multisig usually π¬
Oh wow! Nunchuk
Third parties are security holes.
Every one of them.
nostr:nevent1qqs8v9h2d0vhw42nga2jhckmvfsxxps29g2ulcwtsftkwmc3l45kxkspzamhxue69uhhyetvv9ujuurjd9kkzmpwdejhgtczyrf56tftz3ppxxqzmqcwj2w9h90j3jmf9yd3m6f02dpej609xyy0yqcyqqqqqqglvvw0r
What data exactly?
nostr:nprofile1qqs0w2xeumnsfq6cuuynpaw2vjcfwacdnzwvmp59flnp3mdfez3czpsprpmhxue69uhkummnw3ezumr0wpczuum0vd5kzmp0ksxxx2 ?
Pretty much everything https://darkwebinformer.com/alleged-data-breach-of-multiple-cryptocurrency-platforms/
Hmmmm π€
nostr:nevent1qqs8v9h2d0vhw42nga2jhckmvfsxxps29g2ulcwtsftkwmc3l45kxks962h3p
Ouch! Is this true?
Yeah, very likely, the actor had a history of successful breaches and data distribution. https://darkwebinformer.com/alleged-data-breach-of-multiple-cryptocurrency-platforms/
Seems fake
Nunchuk doesnβt use phone numbers to create accounts or for 2FA
Seems fake, or he is BSing about having phone numbers for Nunchuk since they donβt use phone numbers. Email and password is all you need. They donβt log passwords, so mot sure how they allegedly got those too.
Looks fake. It's quite impressive that they managed to hack more users from us than even exist. π
We've investigated and haven't found any reason to believe it's true. The data they claim to have doesn't make sense.
nostr:nevent1qqsga7zah0euyp5pvs8e97gzehzsx4xquqrahe42n7r5aqmfuvnrrhgprpmhxue69uhkummnw3ezumr0wpczuum0vd5kzmp0qgs0w2xeumnsfq6cuuynpaw2vjcfwacdnzwvmp59flnp3mdfez3czpsrqsqqqqqpa3wcjp
So that actors had multiple real breeches and auctions but this one is fake because the reported accounts dont match?
The specific set of data doesn't make sense either. If they were able to retrieve password hashes then I'd expect they'd have all of the user fields, which they're not claiming to have.
If the threat actor wishes to prove the veracity of their claim, they should post a sample of the actual data.
I had to double check, lol its reporting lines of data not users so. Let's try again
Go request it looks like they do