At 14:17pm (GMT) 28th November 2019, we received an email informing us that one of our API endpoints had a bug exposing private information (full name, email, and marketing opt in) of some of our customers.
The bug was fixed at 19:30pm (GMT) 28th November 2019 and our site is working normally.
Unfortunately this bug had existed since the launch of Kickback back in October 2018. In our estimate our breach has potentially affected 46 customers. We have already notified the affected customers and urged them to take precautionary measures.
We consulted with the Information Commissioner’s Office (UK’s independent body set up to uphold information rights and set guidance for all sectors on how to comply with data protection law) and took the following actions based on their advice.
- We contacted third party projects which may have consumed our API endpoints to check they do not store private information and to discard if they have done previously. So far they have all replied that they don’t store anything apart from the Ethereum addresses.
- We have instructed the individual who reported the incident to discard any private information he/she obtained.
- We did an extra check on our API endpoint to ensure that we don’t have any other similar vulnerabilities.
Kickback values your privacy and deeply regrets that this incident occurred. We will monitor this incident closely and keep you updated.