As some of you may know by now, BlockFi, a company that allows bitcoiners to use their BTC as collateral for USD loans as well as savings products, suffered a security breach last week that exposed their clients confidential data. Names, dates of birth, postal addresses, and account activity that includes what addresses they sent their bitcoin to are all now in the hands of a hacker. This situation is not ideal and it highlights the harm that comes with forcing companies to collect an insane amount of personal information due to draconian KYC/AML laws.
The person who hacked BlockFi is now able to personally identify bitcoiners, how much bitcoin they moved into and out of their BlockFi accounts, and WHERE THEY LIVE. The personal safety of the individual BlockFi users who were exposed by this leak is now in question. This hacker has the ability to shop all of this info around on dark net markets to anyone willing to pay for it. Nefarious individuals looking to locate and physically attack these BlockFi users in hopes that they'll cough up their bitcoin can now do so. This is completely unacceptable and wholly unnecessary. It is time to abolish the Bank Secrecy Act because it puts more people in danger than it saves. We've covered this many times in this rag, but it's always infuriating when something like this happens that further proves our point.
With that being said, BlockFi isn't allowed to lay blame on overbearing KYC/AML laws. They made a terrible Busch League mistake as a bitcoin custodian by having SMS 2FA as part of their security processes. For years, individuals who own bitcoin or work at bitcoin-focused companies have been getting SIM swapped by hackers looking to gain access to exchange accounts. Any company that is serving as a custodian for any amount of bitcoin, let alone the amount that BlockFi is, should not have SMS 2FA integrated into any part of their operational process let alone their encrypted back-office system. This is borderline negligence.
It's really shitty that this happened to BlockFi and their customers. Here's to hoping this provides a teachable moment for everyone building custodial products for bitcoiners. KYC/AML does more harm than good and SMS 2FA should be avoided at all costs. Companies should take the least amount of data that is necessary and even fight back against draconian regulations that force them to collect and hold sensitive data because it is becoming more and more of a liability. They shouldn't be put in a position where they can put their customers in harms way because they are forced to collect personal data.
All my clothes have been marked with spit up.