Firm Files Lawsuit Against Uphold HQ Inc Over Faulty Two-Factor Authentication

On February 25, 2022, Kronenberger Rosenfeld attorneys Karl Kronenberger and Kate Hollist filed a putative class action lawsuit against Uphold HQ, Inc., the company that runs the Uphold.com cryptocurrency exchange. The Complaint, which is available HERE, details the experiences of several individuals whose accounts were accessed and depleted by unauthorized third-party users.

Among other things, the Complaint alleges that Uphold used inadequate multi-factor authentication (“MFA”), which allowed unauthorized users to remove and change two-factor authentication devices that users had installed via an automated process. Whereas most cryptocurrency exchanges adopt the normal industry practice of requiring robust identity proofing before a user can change their MFA device, the Complaint explains how Uphold’s procedure empowered bad actors to make changes to these crucial account protections without any of the usual safeguards commonly used in the industry, such as identity proofing.

As a result, the Complaint alleges, unauthorized users were able to bypass accountholders’ MFA devices, gain access to their Uphold accounts, and then empty the accounts of their cryptocurrencies. To date, Uphold has not disclosed or even publicly acknowledged this major vulnerability in its systems, leaving its users unwittingly exposed to this risk. As a result, cybercriminals continue to utilize this exploit to rob Uphold users of their funds. When they succeed, Uphold offers its accountholders little recourse. In some cases, it leaves their remaining funds locked indefinitely while it conducts an endless investigation. But even in instances where Uphold has successfully restored access and functionality to its accountholders, it refuses to refund the money that was stolen from them.

“What makes this situation particularly tragic for Uphold’s genuine users is that Uphold has been receiving reports like this for months,” Hollist noted. “Users who had their accounts robbed in 2022 are going online to find forums filled with others who had this happen to them in summer of 2021. It’s incredibly frustrating because it feels like these recent losses could have been avoided if Uphold had taken action to address them last summer.”

The class action seeks recovery on behalf of all victims whose accounts were robbed following an MFA failure. However, the case is still in its early exploratory stages. If you have personal experience with having cryptocurrency stolen from your Uphold account and would like to join in the class action, please contact our litigation team here.