Identity-Check Vendor Sumsub Says Hack Went Undetected for 18 Months, Exposing French Users’ Contact Data

A company that helps crypto and fintech firms verify who you are says it was hacked, and didn’t realize it for roughly a year and a half.

Sumsub, a Europe-based “know your customer” (KYC) identity-verification provider used by major crypto exchanges and financial apps, disclosed that an intruder accessed an internal support environment in July 2024. The company says it only spotted the activity during a security audit in January 2026, raising fresh questions about how long sensitive customer-related systems can sit exposed without triggering alarms.

Sumsub insists the data involved was limited, mostly names, and in some cases email addresses and phone numbers. It says no biometrics, government ID images, or banking information were accessed. Even so, cybersecurity experts warn that a name-plus-contact-info combo is often enough to fuel highly targeted phishing and social-engineering scams, especially in the crypto world.

A long gap between intrusion and discovery

The timeline is the headline. Sumsub says the unauthorized activity dates back to July 2024 but was only identified months later during a January 2026 review. In an industry built on trust and compliance, that kind of delay is a flashing red light.

Sumsub argues the breach was confined to an internal support-related environment, not the production systems that run real-time identity checks for customers. That distinction matters, but it doesn’t eliminate risk. Support teams often handle customer communications, account context, and troubleshooting records that can contain valuable personal details.

With a real name and a reliable way to reach someone, email or phone, scammers can convincingly impersonate compliance teams, customer support agents, or account-security staff. Those tactics routinely succeed because they exploit urgency and fear, not technical weaknesses.

A malicious attachment through a third-party support tool

Sumsub says the leading theory is a familiar one: a malicious attachment delivered through a third-party ticketing platform used for customer support. It’s a classic entry point because support staff are expected to open files, respond quickly, and keep cases moving, exactly the conditions attackers love.

The mention of a third-party tool underscores a broader reality for modern tech companies: the attack surface isn’t just core servers and customer-facing apps. It’s also the surrounding ecosystem, ticketing systems, CRMs, email platforms, and file-sharing tools, that can become the “side door” into sensitive data.

Sumsub says it has no indicators the attacker maintained ongoing access beyond the July 2024 window, suggesting a one-time intrusion rather than a long-term foothold. But a brief window can still be enough to copy out data that gets resold or reused for months.

What data was exposed, and what wasn’t

According to Sumsub, the exposed information was primarily names, with a subset of records also containing email addresses and/or phone numbers. The company has not publicly disclosed how many people were affected, leaving customers and end users to wonder whether their information is part of the incident.

Sumsub says higher-risk data was not compromised: no biometric identifiers, no images of identity documents (like passports or national ID cards), no payment details, and no government ID numbers. For a KYC vendor, that’s a critical claim, those are the data types most directly tied to identity theft and financial fraud.

Still, contact data can be the first domino. A scammer who knows your name and can reach you can try to trick you into handing over the rest, passwords, one-time codes, or even copies of documents, by posing as a legitimate compliance or security check.

Crypto and fintech clients in the spotlight

The disclosure is drawing particular attention because Sumsub’s customer list includes well-known crypto and fintech brands, including Bitget, Bitpanda, Bybit, Huobi, and Wirex. These companies rely on KYC vendors to meet anti-money-laundering rules and reduce fraud, requirements that are especially strict in Europe and increasingly scrutinized by U.S. regulators as well.

Even if a breach doesn’t hit a crypto exchange directly, it can still boomerang back onto the platform. Users tend to remember one thing: their data is circulating. That can trigger waves of password resets, support requests, and phishing reports, plus reputational damage that’s hard to quantify.

Sumsub says the incident affected a limited set of customer accounts and that it notified impacted clients directly. But once big brand names enter the conversation, the nuance can get lost, and scammers often take advantage of that confusion.

What users should do right now

Expect phishing attempts that reference “KYC,” “account verification,” or “urgent compliance updates.” If you get an email or text pushing you to click a link, don’t. Go directly to the official app or type the company’s website into your browser yourself.

If someone calls claiming to be from an exchange or a verification provider, hang up and call back using a number listed on the company’s official site, never a number the caller provides. And lock down your accounts: use unique passwords, turn on multi-factor authentication (preferably via an authenticator app), and secure the email account tied to your financial services.

The bigger takeaway is the KYC paradox. Governments and regulators push platforms to collect more identity data to fight fraud and money laundering. But the more that data gets centralized among third-party vendors, the more attractive those vendors become as targets, and the more damage a single lapse can cause across the digital economy.