An unidentified threat actor has breached the systems of FinTech company Revolut and accessed the personal details of over 50,000 users. The incident occurred on Sunday, September 11, and Revolut said it took immediate action to restrict the hacker’s access. Lithuania’s State Data Protection Inspectorate (VDAI) announced on Friday, September 16, that it had launched an investigation into the incident.
An affected user took to social media to voice concerns and share the breach notification message they received from Revolut.
“This was an isolated incident and the security of our customers’ accounts remains our top priority. Although cyber-attacks are a regular threat to many businesses, we took immediate action to properly manage this incident and protect our customers,” a translation of Revolut’s email to its users shared on Reddit reads.
While the company says the hackers only breached its systems momentarily, it was enough time for the threat actor to access the details of up to 50,150 users.
Revolut said the breach affected only a tiny fraction of its users, and no funds or sensitive financial data was exposed. Nonetheless, the company has cautioned users to be on high alert for any suspicious activity.
‘Highly Targeted Cyber Attack’
Revolut said the “highly targeted” cyberattack affected only 0.16 percent of its users. The threat actor reportedly breached the company’s systems using social engineering techniques.
Lithuania’s data protection watchdog said that out of the 50,150 affected users, over 20,000 are based in Europe and just 379 in Lithuania. According to the organization, the exposed data may include full names, addresses, email addresses, telephone numbers, and partial bank card information.
While Revolut said the exposed data might vary for different users, the company insists no card details, passwords, or PINs were exposed.
Potential Identity Fraud, Phishing Attacks
Revolut has contacted the affected customers to reassure them that the situation is under control and warned them to be on high alert for follow-up attacks. The company directed users to read about fraud protection on its website, and noted that it wouldn’t reach out to users via call or text to ask for any information.
“Be extremely wary of any attempts to contact you. We will never ask you for your details or passwords,” the company’s translated email said.
Usually, after such attacks that expose user data, threat actors take advantage of the leaked information to orchestrate phishing scams and identity fraud or to dupe victims.
One such case was reported by a Revolut user who received an SMS on Sunday stating that they are set to receive a new debit card. The text also contains a URL. According to Bleeping Computer, the link takes users to a phishing website where they are required to fill in their login and card details, inadvertently handing this information over to the hackers.
FinTech apps like Revolut are always in the crosshairs of threat actors motivated by the prospect of stealing from victims. Our guide to identity theft contains information about how to protect yourself from such malicious schemes. Also, we recommend checking out our article on phishing and social engineering to learn how to avoid falling victim to these scams.