The decentralized blockchain platform Aleo recently released a statement concerning the exposure of Know Your Customer (KYC) information. The Zero-knowledge platform attributed the leak to a copy/paste error in email metadata. Aleo stated in a post on social media platform X that the KYC information leak affected about 10 participants from recent Aleo Learn and Earn events.
A Major Oversight by the Aleo Team
Aleo team reported that they have removed the exposed information, investigated the cause, and informed the affected individuals. The platform collected unencrypted KYC data through the third-party protocol HackerOne. Moreover, based on Aleo’s findings, they have started implementing new long-term technical controls for KYC verification practices. According to news on X dated February 25, Aleo, which focuses on ZK cryptography, exposed some users’ personal information.
Zero-knowledge supported Layer-1 blockchain platforms focus on providing users with enhanced privacy and security. They use zero-knowledge cryptographic techniques to enable transactions without revealing specific details and to ensure privacy.
In accordance with Aleo’s internal policies, users must complete KYC and Anti-Money Laundering (AML) requirements and pass the United States Office of Foreign Assets Control (OFAC) screening to claim a reward on Aleo.
This privacy-centric approach offers users more control over their data by making it difficult for external parties to track or access sensitive information. These platforms aim to enhance privacy in blockchain transactions, making them safer and more private for participants.
Insightful Comments from a Security Expert
Cybersecurity and blockchain research and intelligence expert Adebayo Tiamiyu highlighted concerns about the effectiveness of security protocols when a ZK platform like Aleo links the exposure of KYC information to a copy/paste error in email metadata.
According to Adebayo, this incident underscores a flaw in the handling of personal data on blockchain networks. Adebayo also emphasized the need for stringent data protection, continuous cybersecurity vigilance, and a least privilege approach, as regular audits and advanced encryption are vital, even on supposedly secure blockchain platforms. Aleo Foundation Executive Director Alex Pruden stated that after recent errors are corrected, privacy features for crypto transactions in the Aleo ecosystem will be launched in the coming weeks.
