Our Business Account at Mercury Bank Was Hacked

Lessons from a Data Breach

On October 17, 2024, Hawcx encountered an unexpected security incident: our Mercury Bank business account was breached, resulting in multiple unauthorized transactions. Despite implementing recommended security protocols, including complex passwords and multi-factor authentication (MFA), we faced a breach that shed light on the limitations of these traditional measures.

The Security Measures in Place

As a security-focused company, we believed we had taken the right precautions. We employed long, complex passwords and enabled MFA on all accounts, and we trusted that Mercury Bank’s safeguards, designed for early-stage companies, would add an extra layer of security. But the notifications of unauthorized transactions made it clear: this approach was not enough.

Uncovering the Breach

During our investigation, we reviewed login timestamps on the Mercury app and found discrepancies pointing to unauthorized access. Our legitimate logins stopped on October 16, but the suspicious activity began the following day. This timeline raised concerns about a compromise in our authentication data.

We also recalled Mercury Bank’s earlier announcement of a cyberattack involving the LockBit ransomware group in June 2024, which was updated in July. This announcement led us to consider that sensitive data, including password hashes and MFA secrets, might have been compromised months earlier, giving attackers ample time to crack encrypted credentials and exploit any vulnerabilities.

Exploring the Possible Scenarios

• User Authentication Data Compromise: If password hashes, salts, and MFA shared secrets were exposed during Mercury’s data breach, attackers could have had months to brute-force the password hashes. With this access, they could bypass MFA using a cloned secret key, which enabled them to generate valid OTP codes without further verification. Using this unauthorized access, they created virtual debit cards, initiating fraudulent transactions.

• Full Database Compromise: Alternatively, the breach may have compromised Mercury’s entire database, including user authentication and financial data. With backend IAM policies potentially compromised, attackers could have created virtual debit cards linked to our account without needing direct login credentials, bypassing traditional user authentication entirely.

Despite freezing all our accounts and having reported the issue, the hacker is still trying to do fraudulent transactions.

Reflections on Security Gaps

This experience has highlighted the growing inadequacy of password-based security and traditional MFA in today’s cyber landscape. The hacker’s ability to create and use virtual debit cards for unauthorized transactions emphasized that even the best-known security practices can fall short. While long passwords and MFA remain recommended practices, they don’t always provide the resilience needed against sophisticated attacks.

The Path Forward: Public-Private Key Authentication

This incident reaffirms our mission at Hawcx to make public-private key authentication more accessible. Unlike password-based systems, this approach uses dynamically generated private keys that aren’t stored, reducing exposure and vulnerability to breaches. Our goal is to bring this advanced security to everyone, ensuring that robust protection goes beyond early adopters and is available to all users

Closing Thoughts

Our experience with this breach has been both a challenge and a reminder of the need for security innovation. We are sharing our story to highlight the importance of rethinking how we approach digital safety. As more businesses face advanced threats, it’s time to consider moving beyond traditional passwords and MFA toward more secure and future-proof methods.

As we push forward, we hope others in the industry will join us in this journey toward a more secure, passwordless future.