Ciphr blames rival company for partial data dump of its users

Users’ email addresses and IMEI numbers at risk.

Ciphr says rival company responsible for partial data dump

Ciphr, a company which offers encrypted communications for BlackBerry 10 and Samsung Knox smartphones, claims that a rival firm are behind a data dump of its customers' email addresses and their device's IMEI numbers.

A website displaying the alleged leaked data claims that "all Ciphr emails/servers have been compromised."

Two sources that use Ciphr on their phones told Motherboard the leak includes their information as well as the data of other users. Specifically, the website lists users' email addresses and IMEI numbers, data which law enforcement can leverage to expose a user.

As the site explains:

"Police can retrieve the IMEI/MEID of an associated Ciphr email [...] Using the IMEI/MEID police can triangulate the location of the device via cellular network towers [...] Using this information it is possible to geolocate the device's exact location and history."

Ciphr

Ciphr is a privacy platform designed for mobile communications on Blackberry 10 and Samsung Knox devices. It provides users with tools like PGP email, encrypted text, and secure storage. All communications on a user's device get routed through Ciphr's servers.

Anyone who uses Ciphr is clearly interested in safeguarding their privacy, which is why the company is trying to reassure users that their data is safe. In a message provided to Motherboard from one of its sources, the privacy platform says the data dump was not the result of a data breach. Instead Ciphr blames a rival company for the incident:

"Our rapid growth has caught the attention of competitors seeking to slow us down by way of slander, blocking and DDOS [distributed denial of service attacks].... We were shocked that any company in this industry would release information to the public under any circumstance."

Ciphr's management explains in a blog post that a rogue reseller who was granted access to its sales systems gave the information to SkySecure, which makes custom Blackberry devices. The company goes on to note that most of the information included in the data dump was already expired. But it does say a few active users' email addresses and IMEI numbers were included in the leak.

We have now read all the messages about a so-called Ciphrhack. The only thing that affecting us at this time is bad publicity for our company. We guarantee that this again is a dirty game of Skysecure. instead of improving their own system, Skysecure is busy trying to disrupt the expansion of growing companies.

WE GUARANTEE THAT YOUR SAFETY IS ABSOLUTELY NOT IN DANGER.

This information was retrieved by a rogue reseller who was granted access to our sales systems and he gave this information to Skysecure. As a result email addresses, and imei are visible. Most of them have already expired and the majority of our customers base doesn’t even show up.

SkySecure has denied playing any part in the data dump.

Ciphr conducted an audit of its apps, server, and sales portal following the data dump and intends to publish the results soon. This report will no doubt provide some further insight into what happened. When it does, hopefully it will advance an already competitive mobile encryption market towards what should be the ultimate goal: helping users better protect their privacy.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

2 Responses

  1. graphicequaliser

    May 3, 2017 at 4:12 pm #

    Ultimately, CIPHR are not secure. If they invoke untrustworthy 3 third parties to access their systems for whatever reason, they are no longer secure, IMO. If they had kept EVERYTHING in-house, then they would not have been breached, even under a DDOS attack (which slows their servers down, but does not reveal information to hackers).

  2. David L

    May 4, 2017 at 5:50 am #

    I agree, have to call Bull hockey on this spurious accusations against another competitor. Where is the police report? Personally, I think the best security and privacy, along with generous deals for the free accounts, and paid ones too, is Proton Mail. The allowances for numbers of sent and received, plus generous size for attachments, and security with strict privacy policies makes them an outstanding choice.
    https://protonmail.com/

    Swiss Privacy

    Data Security and Neutrality

    ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws.

    End-to-End Encryption

    Automatic Email Security

    All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.

    And there is much more, so have a look if you really care about the things mentioned above.

Leave a Reply