14 DAY TRIAL // Canadian Virtual Exchange (Cavirtex) service decided to cease activity starting on March 20, 2015, following an internal investigation which concluded that an older version of the database may have been accessed without authorization.
The service is not entirely sure that the sensitive information available on its infrastructure has been compromised, but even so, it recognized its inability to guarantee the confidentiality of its users’ account credentials.
Customers urged to change log-in passwords
In an official statement on Tuesday, Cavirtex said that the potentially compromised database included two-factor authentication (2FA) secrets and hashed passwords; identification documents were not stored in the same place, otherwise the impact on customers would have been significantly bigger.
“We believe that the damage to the company's reputation caused by the potential compromise will significantly harm our ability to continue to operate successfully,” the official statement informs.
The incident was discovered on Sunday, but it is unclear when it actually occurred. The company urges all its customers to log into their accounts and change their passwords, as well as remove the Cavirtex cookies in the web browser.
On the bright side of things, Cavirtex says that it is solvent and that none of the customer funds it managed were ever lost; as such, clients should have no reason to worry that they wouldn’t receive all their money.
Refund requests received by March 25 will be honored without exception, the service says, while all transactions are to be stopped on March 20.
Service warns of potential malicious activity
In another communication on Thursday, Cavirtex announced that limitations from the payment provider prevent it from daily processing of direct deposits larger than $150,000 / €132,000, and that withdrawals may “take at least 5 days longer than usual.”
In the process, the service wants to make sure that the money reaches its rightful owner and advises customers to inform if they receive email confirmations for transactions they did not initiate.
The reason for this is that cybercriminals that caught news of the event may attempt to take advantage of the situation and target Cavirtex clients in phishing attacks.