Sydney-based social ticketing startup Qnect Technologies has had its customer data stolen this week, with the hackers threatening to publish the information online unless the business paid out bitcoins.
On Tuesday evening, Qnect users were sent a text message informing them there was a “security incident” on the service, and that their data, including email address and card information, would be posted online unless Qnect paid bitcoins; the amount wasn’t specified.
Identifying themselves as “RavenCrew”, the message from the hackers called for the customers to help convince Qnect to pay, providing the email addresses of two Qnect employees including cofounder Ryan Chen.
Responding to the breach, Qnect cofounder Daniel Lang sent an email to customers later that night stating the business was aware that the message had been sent out, and that they had contacted the Australian Federal Police.
“We are now currently dealing with the situation and the Australian Federal Police are now involved to investigate this person,” said Lang.
Lang added that customers should ignore the messages, and confirmed that the person responsible didn’t hold any financial or card information.
“I can confirm that this person does not have any financial information, and all card information is stored with third party payments processor Stripe,” he wrote.
“If they have texted you, the maximum they will have is your name, email, phone number to text you on. During this time we must all stay calm, communicate effectively, and stand as a community.”
Startup Daily reached out to Lang for further comment.
Qnect’s ticketing platform is predominantly used by university societies, offering them a space to browse local university events. Event tickets purchased can be processed through Qnect, gifted to friends or resold through the platform at a discounted price.
The platform also integrates with Facebook’s API, allowing users to log in through their social account. Customers who signed up with Facebook have not had their accounts breached.
Taking to social media, various Qnect users discussed the threatening text, with Twitter user Tommaso Armstrong, a student at the University of Technology, highlighting that the breach may have been caused by a leak in the platform’s ticket purchasing system.
According to Armstrong, if a customer enters a phone number when purchasing a ticket that already exists on another user’s account, the system then draws that user’s other contact details forward, including email address, student ID, degree and name, similar to how Google Chrome can autofill a user’s information.
When you put in a dummy phone number when buying tickets and it leaks profile information based on that…. Great work, @QnectHQ pic.twitter.com/i7OOSkP0Ln
— Tommaso Armstrong (@tommarmstrong) May 29, 2017
Seeking more information about the named group behind the attack, other students took to Reddit’s /r/Hacking to ask about RavenCrew. Looking through the platform, the only information found was a user named /u/ravencrew, whose singular written activity is a comment on a post in the Bitcoin forum.
University societies connected to the platform, including the University of New South Wales (UNSW) Law Society, UNSW Engineering Society and Sydney University of Law Society issued notices on their social pages, informing students about the breach and recommending they contact Qnect for an enquires.
Posting an update to the Qnect Facebook page yesterday, Lang said the startup was still in touch with the police and reassured customers that their financial information was not compromised.
“Qnect is in touch with the relevant authorities, and we are working with them to ensure your data remains secure,” he said.
“I apologise for any concern this might have caused, but please remember your privacy has been, and continues to be our top priority.”
Image: Ryan Chen & Daniel Lang. Source: Supplied.