Privacy-focused blockchain platform Aleo encountered a security breach when KYC documents of some users, including selfies and ID card photos, were erroneously sent to other users via email. The incident was reported by a user named Emir Soytürk, who expressed concerns about the security of his own information. Another user, Selim C, confirmed the claim, indicating that he also received KYC documents belonging to another person in his email. Aleo mandates users to complete KYC and Anti-Money Laundering (AML) requirements, including screening by the Office of Foreign Assets Control (OFAC), to claim rewards. The platform utilizes a third-party protocol for KYC, collecting unencrypted data from users during the signup process.
Aleo, known for its focus on zero-knowledge (ZK) cryptography, aims to enhance privacy and security for users on its decentralized blockchain platform. The irony of the situation lies in the fact that a protocol designed for programmable privacy ended up using a third party to collect unencrypted KYC data, leading to a public leak. This incident underscores the importance of robust storage and proof systems for sensitive data, particularly Personally Identifiable Information (PII), based on ZK or fully homomorphic encryption (FHE). Despite this setback, Aleo is gearing up for the launch of its mainnet in the coming weeks, with an emphasis on bringing privacy to cryptocurrency transactions.
