Revolut data breach: 50,000+ users affected
Revolut, the fintech company behing the popular banking app of the same name, has suffered a data breach, which has been followed by phishing attacks aimed at taking advantage of the situation.
About the Revolut data breach
Revolut customers began noticing something was wrong on September 11, when some of them reported receiving “inappropriate wording via chat.”
A few days later, some users received an alert via email saying their account was affected following a cyberattack.
“We recently received a highly targeted cyber attack from an unauthorized third party that may have gained access to some of your information for a short period of time,” the alert said.
The attackers did not manage to access fund, credit card details, PINs or passwords, Revolut noted, but they had access to affected users’ personal data.
Since Revolut operates as a registered bank in Lithuania, Lithuania’s State Data Protection Inspectorate revealed on Tuesday that Revolut Bank suffered a data breach, that access to the database was obtained via social engineering methods, and that the data of 50,150 customers worldwide (20,687 of them in European Economic Area) has potentially been compromised.
This data includes names, addresses, email addresses, telephone numbers, part of the payment card data (part of it was “masked”), and account details.
Revolut users targeted by phishing via SMS
In its data breach notice to affected users, Revolut warned them to “be especially vigilant for any suspicious activity, including suspicious emails, phone calls or messages,” and said that it would not call or text them regarding this incident.
“Be extremely wary of any attempt to contact you. We will never ask you for your details or passwords,” the company emphasized.
A few days later, customers started receiving SMS phishing (smishing) messages, though they do not appear to be aimed just at those affected by this breach.
@RevolutApp I presume this is a text scam ? Just got it sent to me pic.twitter.com/mr0JrrYFDM
— ✨ Mark@Links 📡🛰✨ (@satellitetruck) September 18, 2022
@RevolutApp I read you have been beached, not from an email from you but through the cyber community. Then I get this message: (first message is legit, following message i suspect is not) pic.twitter.com/mvVKjGxsFt
— Simon Vernon (@xzer0f) September 18, 2022
The phishing page to which the link points is still up. Users who follow the link are first faced with a security challenge asking them to confirm they are not a robot and then are asked to solve a visual CAPTCHA. Finally, they are taken through a set of well crafted pages asking them to log into Revolut by entering their phone number, passcode, full name, email address, date of birth, and the info related to the debit card attached to their account.
According to Report Smishing, a smishing research project run by Sharad Agarwal, a Ph.D student at University College London, the same IP address hosted another Revolut-themed smishing URL a month ago.
“Dwell time (the amount of time the attacker is in the environment) plays a significant role in the scope and impact of a breach. Rapid detection and response to contain the threat exponentially lowers the cost and time associated with remediation. The fact that Revolut was able to act quickly in this situation certainly has a great impact on the extent of the damage the attacker was able to carry out,” noted Randy Watkins, CTO at Critical Start.
“We are seeing more and more attacks using social engineering and we will surely continue to see them happening. Social engineering is so successful because most employees just want to do their jobs and help others. While the resulting second-wave phishing attack wasn’t the likely motive in this case, secondary outreach directly to the end user is always a possibility when it comes to these types attacks. Likely, the attackers would have preferred to get the information they wanted directly from Revolut, but with the information they were able to gain access to, they can significantly raise their chances of phishing the end users.”