Since its creation in 2015, the neobank called Revolut has been gaining more and more relevance as a financial alternative for many users. It is in fact one of the fastest growing British startups — its valuation in 2021 was $33 billion — but that success also makes it a target for cyberattacks. One of them has been successful and a cybercriminal has managed to hack Revolut, albeit to a limited extent.
What happened. Last week Revolut users reported receiving a message confirming an intrusion into their systems. “An unauthorized third party may have gained access to some of your information for a short period of time,” they explained. Those responsible for Revolut “detected and isolated” the problem, and began to contact those affected.
How many people have been affected. According to the message, the hack affected 0.16% of its customers. The data protection inspection body in Lithuania, where Revolut has a headquarters, also indicated that the company had confirmed that worldwide the number of affected people was 50,150, while in the European Economic Area that number was 20. 687. Only those affected have received an email telling them to change their password: if you are a customer and nothing has arrived, you can rest easy, since that attack did not manage to leak your data.
What data has been stolen. In the hack, this cybercriminal managed to access the full names, postal addresses, telephone numbers and email of those users. He also had access to partial payment card data —the full number is encrypted—, as well as account data (but not card data). There has been no access to PINs or passwords, and at Revolut they ensure that the money is safe. “The funds were not accessed or stolen. Your money is safe, as always,” they indicated in the message to their affected users.
How the data was stolen. There have been no brute force attacks here. The cyberattacker (or cyberattackers) has used the phishing technique, and with social engineering techniques such as malicious links, he has managed to deceive users with a unique proposal. They were warned that a cyberattack was taking place at Revolut and told them that by clicking on a link they would cancel the cards. What happened is that these users became victims and the cybercriminal was able to access data from their Revolut accounts when they clicked on that malicious link.
An attack that makes us alert again. The case is certainly small compared to other cyberattacks —Uber was hacked in a big way on those same dates—, and again here the alarms go off, especially since it is a financial entity that manages our money. Once again, it is worth remembering that we should not trust strange emails, WhatsApps or SMS that claim to come from entities of which we are clients. When in doubt, it is better not to do anything, and it is a good idea to call those entities to confirm that they have wanted to contact us.
Image | Sophie Dupou