Crypto exchange foul-up exposes thousands of customer email addresses

Popular crypto exchange BitMEX is in the hot seat after a mass email sent to users inadvertently exposed thousands of customer email addresses.

Early Friday morning, reports of the leak began to surface on social media. Twitter user @sakuraricebird shared redacted screenshots of the email that show the email addresses of numerous BitMEX customers.

Numerous users on Reddit reported receiving the same email. User u/ncens reportedly received two separate emails from BitMEX, each one containing approximately 1,000 customer email addresses.

“I got two emails of 1000 different addresses each. I’d assume this does not affect just a thousand people, but a hell lot more in multiples of thousands,” he said.

“Hope someone’s getting canned for this. Grossly irresponsible.”

BitMEX acknowledges accidental doxxing

In an announcement published just before 8:00 am UTC, BitMEX confirmed the leak:

“We are aware that some of our users have received a general user update email earlier today, which contained the email addresses of other users,” the exchange said.

“Our team have acted immediately to contain the issue and we are taking steps to understand the extent of the impact. Rest assured that we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue.”

BitMEX’s breach of customer privacy appears to have been the result of simple user error.

When the mass email was being set up, instead of putting its customers’ email addresses in the BCC (blind carbon copy) field, which would have hidden them from the recipients’ view, BitMEX accidentally put them in the To field, leaving them exposed for all to see.

BitMEX woes just getting started

As if accidentally leaking thousands of customers’ email addresses wasn’t bad enough, BitMEX’s day has since gotten a whole lot worse.

Shortly after news of the email leak broke, the exchange’s official Twitter account appeared to have been briefly compromised.

A series of tweets advised users that the exchange had been hacked and that they should “take [their] BTC and run,” implying that withdrawals were soon to be disabled.

Though both tweets were deleted immediately, they have been archived online here and here.

There have been reports that the account was compromised by a BitMEX employee who was fired over the email incident, however, the exchange has not confirmed this.

But wait…it gets worse!

Since the email leak, both a Twitter account and a Telegram channel have surfaced that are publicly leaking the email addresses – and in some cases, additional information as well.

@Bitmexdatabase1 claims to have access to the information of hundreds of thousands of BitMEX customers – including some big names in the crypto space – and has been releasing them one at a time.

A Telegram channel named Bitmex Hack Group is making similar claims.

Users in the channel have been releasing email addresses and other customer data – including, in some cases, usernames and passwords – for the past several hours.

The email addresses have also reportedly surfaced on Pastebin and a 30,000 email dump is already for sale on the darknet.

Despite all of today’s events, however, BitMEX wants to reassure its users that their funds are safe and that “the privacy of our users is a top priority and we are very sorry for the concern this has caused to our users.”

Source Link