Financial technology company Revolut announced it had suffered a security breach that exposed the personal data of thousands of users. According to a company official, the cyberattack took place on Sunday night a week ago, was highly targeted, and allowed an unauthorized and still unidentified third party to obtain access to customers' personal details.
The number of users affected is relatively small, around 0,16%, and the attackers had access to the data only for a short period of time as Revolut team quickly isolated the attack by early Monday morning. Furthermore, the company states that no funds have been stolen from the targeted accounts, and all impacted users have been notified through email. Also, a dedicated team will monitor the user account to ensure that funds and data are safe.
Over 50,000 Users Affected by the Cyberattack
As Revolut has a banking license in Lithuania, the breach disclosure to the Lithuanian State Data Protection Inspectorate says that 50,150 customers have been impacted, while exposed data includes full names, email addresses, phone numbers, account data, postal addresses, specific limited payment card data. At the same time, an affected customer reports that the company claims in a message the exposed data varies for different customers. Still, no passwords, card details, or PINs have been revealed.
No details about how the hackers might have gained access to Revolut database have been disclosed, yet it looks like light social engineering is involved. Some Revolut customers also reported that at the time of the incident, the company’s support chat had been hacked as well and showed inappropriate language to visitors. That defacement may be an unrelated issue, though it is a worrying signal that the hackers might have had access to a broader range of the company’s services.
Revolut Breach Triggers New SMS Phishing Campaign
The recent data breach is expected to trigger a new massive wave of additional phishing attacks, trying to take advantage of confused or uninformed Revolut users. Moreover, apparently, there is already an ongoing SMS phishing campaign targeted at Revolut account holders. The messages claim the user’s card is frozen to prevent fraud and asks the user to request a new card by clicking on a corrupted link and providing personal detail.
The attackers are obviously aiming to steal the entire payment card details so that they can operate with the victim’s funds. For the protection of its customers, Revolut reassures that it will never ask them to provide sensitive information via email, SMS, or social media platforms, so any such messages should be considered a scam, and users should not interact with them.