There is a lot of anger on “crypto Twitter” today following news that BitMEX, a cryptocurrency exchange known for allowing 100x leveraged cryptocurrency trades on its platform, has exposed the email addresses of “many” of its customers.
The error occurred when the company sent out a mass “general user update email” but failed to “blind CC” the email addresses of numerous recipients.
BitMEX says in a blog post (November 1st) that the incident resulted from a “software error”:
“Earlier today, some of our users received an email which contained the email addresses of other users in the ‘to’ field. We apologise for the concern this communication may have caused. This was the result of a software error which has now been addressed.”
BitMEX says no other user data was exposed in the breach:
“BitMEX takes the privacy and security of our users very seriously. Rest assured that in this instance, beyond email addresses, no other personal data or account information have been disclosed and no further emails have been sent. The error which has caused this has been identified and fixed, ensuring our usual high standards of privacy are upheld.”
The company also promises to implement “additional features” to assure the problem is not repeated.
BitMEX offers, “immediate guidance…to assure the safety of your account,” including adding the proper BitMEX support email addresses to one’s email contact list; refraining from indulging any apparent requests from BitMEX to transfer funds (“BitMEX will never ask you to transfer funds. The only way to fund your BitMEX account is to send bitcoin to your unique BitMEX deposit address…begin(ning) with ‘3BMEX’ or ‘3BitMEX'”); and the use of strong passwords and two-factor authentication.
The breach is very serious for a number of reasons.
First, any nefarious actor who may have received the problem email now has a list of known cryptocurrency traders that he or she can exploit, sell or distribute to hackers on the Dark Net or elsewhere.
Affected parties could start receiving “phishing” emails impersonating BitMEX, other crypto exchanges, wallet services or other entities.
These emails could contain malware-bearing links designed to infect cryptocurrency wallets present on an individual’s computer or simply shut down the entire computer.
Crypto-stealing malware has been known to re-route transfers of cryptocurrencies to software wallets controlled by hackers.
BitMEX advises that affected persons be careful about assuring the authenticity of any apparent communiqués from crypto businesses.
The exposed email addresses could also help hackers execute a SIM-swap attack and take over a BitMEX user’s cellphone in order use those phone to access financial and other accounts.
A BitMEX hack group has apparently already emerged on Telegram…
There is a Bitmex hack group on telegram already. They claim be cracking emails, have 113 bitcoin already and laughing at people who have profiles on dating sites with same email they have for exchanges pic.twitter.com/Nf9L0FILcj
— Ameero (@ameero1) November 1, 2019
Another Twitter user is claiming to have located 229 passwords corresponding to exposed BitMEX user emails.
As well, an individual or individuals behind a Twitter account called, “Bitmexdatabaseleak” claims to now be in possession of more than 400 000 emails of BitMEX customers exposed in the email leak.
The account names several high-profile crypto personages and taunts them about whether or not they paid taxes on their crypto gains: