Decentralized blockchain platform Aleo has released a statement regarding the recent Know Your Customer (KYC) information exposure. The zero-knowledge (ZK) platform blamed the leak on a copy/paste error in email metadata.
Aleo said in a post on social media platform X that the KYC information leak affected about 10 participants from its recent Aleo Learn and Earn events. Aleo stated that it removed the exposed information, investigated the cause and informed the affected individuals.
The platform gathered users’ unencrypted KYC data through the third-party protocol HackerOne. However, based on Aleo’s findings, it said that it has begun implementing new long-term technical controls for its KYC confirmation practices.
According to reports on X on Feb. 25, Aleo, which focuses on ZK cryptography, revealed some users’ sensitive information.
This weekend, Know Your Customer (KYC) information about 10 participants from our recent Aleo Learn & Earn events was mistakenly exposed to other Aleo community members through a copy/paste error in email metadata.
We appreciate everyone’s patience as our team worked to remove…
— Aleo (@AleoHQ) February 26, 2024
ZK layer-1 blockchain platforms focus on providing enhanced privacy and security for users. They employ ZK-proof cryptographic techniques to enable transactions without revealing specific details, ensuring confidentiality.
In accordance with Aleo’s internal policies, users must complete KYC and Anti-Money Laundering (AML) requirements and pass the United States Office of Foreign Assets Control (OFAC) screening to claim a reward on Aleo.
This privacy-centric approach makes it challenging for external parties to trace or access sensitive information, offering users greater control over their data. These platforms aim to enhance privacy in blockchain transactions, making them secure and more confidential for participants.
Cointelegraph spoke to Adebayo Tiamiyu, a cybersecurity and blockchain investigations and intelligence expert, who highlighted that if a ZK platform like Aleo attributes KYC information exposure to a copy/paste error in email metadata, it raises concerns about the efficacy of their security protocols.
According to Adebayo, the incident highlights a lapse in handling personal data in blockchains. He further emphasized the need for strict data protection, continuous cybersecurity vigilance, and a “least privilege” approach, as regular audits and enhanced encryption are vital to prevent such incidents, even in supposedly secure blockchain platforms.
The Aleo mainnet is set to launch in the next few weeks once final bugs have been taken care of to bring privacy to crypto transactions, Aleo Foundation executive director Alex Pruden stated.
Cointelegraph reached out to Aleo for details on the technical controls it intends to implement for KYC confirmation practices but has yet to receive a response.
Source: https://cointelegraph.com/news/aleo-says-kyc-leak-copy-paste-error