BitMEX, on the largest crypto derivative trading platforms in the world, has leaked the email addresses of thousands of its users. According to reports, the addresses were leaked in an email update sent to users, in which the exchange used carbon copy (CC) instead of blind carbon copy (BCC) when listing recipients.
BitMEX doxxes clients in “in the most outrageously incompetent way imaginable”
While revealing private information is most often the result of malicious attacks, one of the largest crypto derivative trading platforms in the world proved that leaks could also come from the inside. BitMEX, a crypto exchange that offers 100x leverage trading, has accidentally revealed emails of thousands of its users by selecting the wrong email tool.
On Nov. 1, the exchange sent out a routine update about the changes to the indices on its products, in which they shared emails of thousands of its users. Numerous reports quickly began circulating on Twitter, with BitMEX users saying they could clearly see everybody else on BitMEX’s mailing list.
Lawyer Jake Chervinsky shared screengrabs of the email with the addresses blurred out, saying BitMEX doxxed its users “in the most outrageously incompetent way imaginable.”
The exchange quickly issued an apology, saying that its team has reacted “immediately” to contain the issue.
“The privacy of our users is a top priority and we are very sorry for the concern this has caused to our users,” the company said in a blog post.
Human error has the potential to threaten the security of thousands of BitMEX users
However, almost nobody seemed touched by BitMEX’s apology, with many users saying that the exchange’s whole email database was vulnerable. BitMEX’s mailing list seemed divided into multiple groups, which means most users received only a portion of the addresses on the list.
This, as many pointed out, wasn’t a result of a software bug or a malicious attack, but a human error. Whoever was responsible for sending out the update used carbon copy (CC), instead of blind carbon copy (BCC) to put in the addresses. This meant that all of the addresses were easily visible to everyone that received the email.
And while this might seem like nothing more than a mishap, email addresses are considered to be sensitive information, which is why many argued that the security of BitMEX users was seriously jeopardized.
Kevin McSheehan, the CEO of security assessment company Envadr, said that the leaked email addresses could be cross-referenced with other public breaches and associated with universal passwords. This will enable attackers to try and break into users’ exchange accounts, he said in a tweet.
Other cryptocurrency exchanges took this security breach seriously, too.
OKEx advised affected users who have an OKEx account with the same login email as they did on BitMEX to change it.
Binance also told its users to change their login information to avoid further damage. Changpeng Zhao, the exchange’s CEO, took to Twitter to call on users to always use a unique email address and unique password for each exchange.
Around 200 potential cleartext passwords for the leaked emails have been identified by Twitter user TheMask with the help of plain-text password databases.
TheMask said that he would email all of the users whose passwords he was able to identify and warn them about the breach.
Larry Cermak, the director of research at TheBlock, said that he had access to about 3,000 email addresses, but noted that 30,000 of them could have been compromised by the leak. In a lengthy Twitter thread, Cermak said that BitMEX’s policy when it comes to changing emails was seriously flawed, as the exchange requires users to complete an ID verification in order to change their login information.
It also appears that BitMEX itself experienced issues, as the official Twitter handle of the exchange seemed to be hacked.
“Take your BTC and run. Last day for withdrawals,” the exchange said in a now-deleted Tweet, after which it disabled withdrawals.
Cermak tweeted an image of the notification he reportedly got when attempting to withdraw funds from his BitMEX account. Many users noted that this was extremely suspicious and that the exchange might not have revealed the real scope of the leak.
Cover Photo by Dan Gold on Unsplash