Cyber Incident Victim: Open Exchange Rates

Open Exchange Rates, a provider of currency exchange rate API services used by prominent organizations including Etsy, Shopify, Coinbase, and Kickstarter, experienced a data breach discovered during an investigation into network performance issues. On March 2, 2020, while troubleshooting service delays caused by a network misconfiguration, the company identified unauthorized access to its systems. Further forensic analysis revealed the attacker had infiltrated their network for nearly a month, with initial access dating back to February 9, 2020. The intruder compromised a customer database containing extensive user information, with evidence suggesting data extraction occurred during this period. The breach window extended from February 9 to March 2, 2020, marking one of the longest known durations of unauthorized access in comparable API provider incidents at the time.

The compromised database exposed seven categories of user data: registered names and email addresses, salted and hashed account passwords, registration/login IP addresses, 32-character App IDs serving as API keys, provided personal/business names and addresses, country of residence, and website URLs. In response, Open Exchange Rates immediately disabled all account passwords created before March 2, 2020, requiring users to reset credentials through a dedicated portal. The company urged customers to regenerate App IDs/API keys despite no observed misuse, acknowledging their potential exploitation for unauthorized exchange rate queries. Secondary risks included spear-phishing campaigns leveraging stolen personal details, given the high-profile client base. The incident prompted warnings about credential reuse across platforms but did not involve financial data or unencrypted passwords. Service functionality was restored following credential resets and API key rotations, with no reported disruptions to currency exchange API operations post-containment.