Skip to content
Data breachContained

Data leak at Sumsub

In February 2026, identity-verification (KYC) provider Sumsub disclosed a 2024 breach — undetected for ~18 months — in which an attacker reached a customer-support environment and exposed the names, email addresses and phone numbers of clients of crypto and fintech platforms it serves.

Victim
Sumsub

On 9 February 2026, Sumsub — one of the leading online identity-verification (KYC/AML) providers, used by major crypto and fintech platforms — disclosed a data breach that had gone undetected for roughly 18 months. The intrusion is traced back to July 2024 and was only identified in January 2026 during an internal security review.

According to the company, the attacker gained access to an internal customer-support environment after a malicious attachment was delivered through a third-party support-ticketing platform. Sumsub states that the compromise was limited to this support environment and did not reach its production systems or core verification pipeline, and that it found no evidence the attacker retained access beyond the July 2024 window.

The exposed records related to clients of platforms that rely on Sumsub for onboarding — names cited in coverage include Bitget, Bybit, MoonPay, Bitpanda, Wirex, BingX, MEXC and Coinlist. The data exposed was contact-level rather than identity-document data:

  • First and last name
  • Email address
  • Phone number

Sumsub maintains that no identity documents, biometric data or banking information were leaked. The total number of affected individuals has not been publicly quantified. Because the exposed combination of name plus contact details is well suited to targeted phishing, SIM-swap and social-engineering attacks against crypto users, security researchers have flagged elevated downstream risk for those affected. Sumsub says the underlying access has been closed and the support platform secured.

Sources

  1. cryptoast.frhttps://cryptoast.fr/bitget-bybit-moonpay-bitpanda-donnees-personnelles-clients-pourraient-avoir-fuite-a-cause-fournisseur-kyc/
  2. europe-infos.frhttps://www.europe-infos.fr/english/8326/identity-check-vendor-sumsub-says-hack-went-undetected-for-18-months-exposing-french-users-contact-data/
  3. privacyguides.orghttps://www.privacyguides.org/news/2026/02/13/data-breach-roundup-feb-6-feb-12-2026/
  4. lebot-avocat.comhttps://lebot-avocat.com/en/sumsub-data-breach-cyberattack-exposes-kyc-chain-risks/

Related incidents