Open Exchange Rates provides an API that allows organizations to explore exchange rates for more than 200 global currencies. The service site states that its API is used by known companies such as Etsy, Shopify, Coinbase, Kickstarter and more.
In the emails sent by Open Exchange Rates to notify infringement data, explains that the incident was accidentally discovered. THE service did a research on a problem in network, which caused delays. Then, he discovered that one an unauthorized user had acquired access on network and a database containing information users.
Upon further investigation, it was discovered that the hacker it had access in systems of the service for almost a month (between 9 February 2020 and 2 March 2020). Open Exchange Rates has stated that the data contained in the database may have been stolen.
Exposed user information includes:
- Name and email address
- Encrypted / hashed password used to gain access to the account associated with the platform
- IP addresses from which users log on to the platform
- App IDs (32-character strings used to submit requests to the service) associated with the user account
- Business name and address
- Country of residence
- Site address
If users have used the breached password in other accounts or sites, they have to change him there too.
In addition, they may have been exposed API keys for service. For this reason, Open Exchange Rates is recommended to all users to create new API IDs to access the service.
Because this API is used by well-known organizations, Open Exchange Rates warns that stolen data could be used in targeted spear-Phishing campaigns. That is why companies should be very careful.
Users also need to activate two-factor authentication to all sites that have an account, to have more protection.