As suspected, the KYC details of thousands of Binance's customers that hackers obtained and leaked online earlier this month came from the company's third-party vendor, Malta-based cryptocurrency exchange Binance confirmed.
For those unaware, Binance, the world's largest cryptocurrency exchange by volume, hit by a "Potential KYC leak" earlier this month, with an unknown hacker distributing the Know Your Customer (KYC) images of hundreds of its users online and to media outlets.
Before leaking the KYC images online, the alleged hacker threatened the exchange to release KYC data of its 10,000 customers if the company did not pay 300 Bitcoins—equivalent to over $3 million at today's exchange value.
While Binance CEO Changpeng Zhao called the incident a fud (fear, uncertainty, doubt), the exchange recently confirmed that some of the leaked images match actual accounts though others show evidence of manipulation.
According to an official blog post, the company has provided more details of its ongoing investigation into the matter, revealing that "some of the leaked images overlap with images that were processed by a third-party vendor, which Binance contracted a few times between early December 2017 and late February 2018."
The team also said that multiple leaked images were photoshopped and did not match the KYC images in its database, and are, therefore "being accounted into the comprehensive investigation."
> "In addition, every image processed through Binance for KYC purposes is embedded with a concealed digital watermark, which was notably absent from all of the leaked images," the company added.
It has also been reported that the inclusion of modified images has been found consistent with the company's findings, suggesting that the KYC data has been changed or used to set up fraudulent Binance accounts.
Though the investigation is still ongoing, the exchange said it has already started contacting all potential victims with "guidance on privacy protection and restitution," and recommended that affected users should apply for new identification documents in their respective region.
Binance also said it is offering a lifetime VIP membership to all its users affected by the recent KYC hack. The lifetime Binance VIP membership will include preferential trading fees, support, and "more services."
The exchange calls security its "top priority," saying that the company is committed to protecting its users in "all possible circumstances," with its robust security measures, including an updated KYC verification system, an AI-based facial verification system introduced in 2018, as well as upgraded data security technology for storing and indexing of KYC data in 2019.
As announced earlier this month, Binance is also offering a reward of 25 bitcoins—worth approx. $290,000—to anyone who provides information related to the identity of the alleged hacker.
Binance suffered its largest hack in May with hackers managed to steal more than $40 million in Bitcoin, along with critical users information, like API keys, two-factor authentication codes, and other information required to log in to a Binance account.