Inside money, markets, and big tech

Botched ICO leaks users’ passport data, calls police on guy who found the bug


Fledgling cryptocurrency startup Sentinel Chain, which promised to “unlock the economic potential” of the poor, launched its initial coin offering (ICO) earlier this week, but it missed one thing: a critical vulnerability that made it possible to scrape its users’ personal data, including their emails and passport images.

Shortly after kicking off its ICO on February 5, Sentinel Chain was forced to temporarily shut down its token sale after the company was notified that its KYC system (a common procedure users need to complete in order to enter token sales) was leaking users’ credentials due to a severe glitch.

The company has since confirmed the issue on its official Medium page, where it also detailed the total impact of the vulnerability. “At around 00:15 GMT, one of our registered Sentinel participants notified us of the vulnerability on our website,” CEO Roy Lai wrote.

All personal information submitted such as e-mail addresses, passwords or Ethereum public addresses, were encrypted on our database,” he continued. “However, a vulnerability on our registration site had allowed some of the uploaded files to be accessed by another registered user.”

According to the post, the Sentinel team was able to identify a total of 15 individuals who attempted to exploit this glitch.

At the same time, the team identified the 21 registered participants who have been affected by the incident,” Lai further added. “Over the past couple of days, I have been personally reaching out to them to assure them that we are taking all necessary steps to protect their personal information.”

Chatter from the Sentinel Chain Telegram group.

Sentinel Chain says it has since reported the breach to the authorities for safety.

“After our thorough investigations, we can confirm that this incident was an unintentional and accidental discovery,” the blog post explains. “We have gained their compliance and co-operation to destroy the files. We have no evidence to suggest that this was a malicious attack.”

“As required by law and on the advice of our legal advisors, we also have notified the relevant authorities, government and law enforcement agencies.”

Indeed, someone complained in a now-deleted Reddit thread that following tipping Sentinel off to the security threat, the Singapore-based startup went on to report the anonymous poster to police.

I received an e-mail from InfoCorp, the company that owns Sentinel Chain saying that they have notified the relevant authorities and that they are in consultation with their legal advisors on pursuing such unauthorised access to the maximum extent permitted at law including under the Computer Misuse and Cybersecurity Act (Chapter 50A),” the poster claimed. 

“As a thank you for reporting the [vulnerability] I got a police investigation,” the message further reads.

Sentinel Chain has already revealed its intentions to resume the ICO on February 10, but this blunder reflects especially poorly on its reputation.

Despite the backing of Singaporean fintech firm InfoCorp and a recent partnership with emerging blockchain solution VeChain, the leak will likely scare off a number of potential investors – as it should.

Meanwhile, Sentinel is hardly the only startup to mess up properly protecting its users data. Indeed, last week an upcoming Airbnb competitor known as BeeToken got its email list hacked, enabling the attackers to phish more than a million worth of Ether from investors.

If anything, the Sentinel mishap goes on to show that – contrary to popular belief – moving your business on the blockchain still leaves you susceptible to breaches.

Published February 7, 2018 — 15:57 UTC