Kaleido ICO Whitelist Leak Exposes 38,000 KYC Records, Sale Postponed

Kaleido, a privacy-focused layer-2 project whose token sale had been scheduled for Monday, postponed the launch by three weeks on Saturday after a leak exposed the KYC records of all 38,000 investors who had been approved for the sale's whitelist. The records — which included full names, residential addresses, and passport numbers — were left exposed in a misconfigured cloud storage bucket operated by Kaleido's KYC vendor.

The discovery

The misconfiguration was discovered by a security researcher who goes by the handle 0xLighthouse, who posted a sanitized summary of the issue to X at 02:14 UTC on Saturday morning. Within an hour, the exposed data had been independently confirmed by three other researchers. The vendor, who Kaleido has not publicly named pending its own legal review, secured the bucket within four hours of the initial disclosure.

"The data was available to anyone who knew the URL structure, and the URL structure was guessable." — 0xLighthouse, in the disclosure post

The irony

The project's stated mission — privacy-preserving infrastructure for the next generation of on-chain applications — sits uncomfortably against the fact that its approved investors' identity documents were available to any motivated actor with basic reconnaissance skills. Several of the project's most vocal supporters have requested removal from the whitelist and return of their pre-subscription deposits.

The remediation plan

Kaleido's published remediation plan includes:

• Termination of the current KYC vendor, effective immediately
• Onboarding of a replacement vendor with external SOC 2 Type II attestation
• Offering to cover identity monitoring services for all 38,000 affected investors for three years
• Independent third-party review of all data handling practices
• A fourteen-day extension of the sale's postponement, with optional opt-out refunds

The plan has been generally well-received, though the depth of the response to a non-technical operational failure — the underlying issue is simply a misconfigured S3 bucket — will not recover the confidence of affected investors who now have their passport numbers circulating in underground forums.

The regulatory exposure

Under GDPR, the incident qualifies as a reportable breach, and Kaleido's KYC vendor is understood to have filed the required notifications with relevant European data protection authorities. Penalties under GDPR can reach 4% of global annual revenue. For a pre-launch token project, the ceiling on penalties is less the concern than the signal to future investors about the seriousness of the project's operational execution.

The rescheduled sale will now open April 6. Whether the investor base that had been assembled can be rebuilt in three weeks — in a market with many alternative allocations — is the most immediate commercial question Kaleido now faces.