Sensitive details about FTX customers were compromised during the earlier this month, despite Kroll initially claiming only “non-sensitive” was leaked.
The confirmation that the leaked details included information many people would categorize as sensitive came in a recently updated FAQ document from Kroll, which has later been shared among FTX creditors on social media platform X.
According to the screenshot shared, the leaked information included the following details about FTX customers:
“Names, email addresses, mailing addresses, FTX account numbers, unique identifiers assigned as part of the bankruptcy process, FTX account balances, phone numbers, and/or other claims details.”
The FAQ document also repeated what Kroll previously has communicated to customers, including the fact that FTX’s own systems have not been affected by the hack.
It also told customers that they do not need to take any action as a result of the breach, other than to be on alert for possible phishing scams.
The document was shared by a crypto trader and FTX claimant that goes by the name sunil_trades on X:
Responding to the post, several members of the crypto community expressed disappointed in how the data was handled and protected by Kroll, and noted that the leaked data could pose a real risk for FTX customers.
“From a physical security perspective, leaking the address along with the amount is a potential big deal especially if you are a high dollar creditor,” said one user, while others claimed they have already received phishing phone calls, text messages, and emails.
‘Non-sensitive customer data’
On August 25, shortly after the data breach, Kroll wrote in an email to FTX claimants that the compromised information included details such as names, addresses, and email addresses of FTX customers.
The email did not mention that details such as physical postal addresses and phone numbers were also leaked.
In an X post at the time, FTX’s new management wrote that only “non-sensitive customer data of certain claimants” had been revealed in the data breach.