There is a lot of anger on “crypto Twitter” today following news that BitMEX, a cryptocurrency exchange known for allowing 100x leveraged cryptocurrency trades on its platform, has exposed the email addresses of “many” of its customers.
The error occurred when the company sent out a mass “general user update email” but failed to “blind CC” the email addresses of numerous recipients.
The company says the incident is the result of a “software error.” According to a statement from the BitMEX blog (November 1st):
“Earlier today, some of our users received an email which contained the email addresses of other users in the ‘to’ field. We apologise for the concern this communication may have caused. This was the result of a software error which has now been addressed.”
BitMEX says no other user data was exposed in the breach.
“BitMEX takes the privacy and security of our users very seriously. Rest assured that in this instance, beyond email addresses, no other personal data or account information have been disclosed and no further emails have been sent. The error which has caused this has been identified and fixed, ensuring our usual high standards of privacy are upheld.”
The company also promises to implement “additional features” to assure the problem is not repeated.
BitMEX also proposes, “immediate guidance…to assure the safety of your account,” including adding the proper BitMEX support email addresses to one’s email contact list; refraining from indulging any apparent requests from BitMEX to transfer funds (“BitMEX will never ask you to transfer funds. The only way to fund your BitMEX account is to send bitcoin to your unique BitMEX deposit address…begin(ning) with ‘3BMEX’ or ‘3BitMEX’”); and the use of strong passwords and two-factor authentication.
The breach is very serious for a number of reasons.
First, any nefarious actor who may have received the email in question now has a list of known cryptocurrency traders he or she can exploit, sell or distribute to hackers on the Dark Net or elsewhere.
Affected parties could start receiving “phishing” emails impersonating BitMEX, other crypto exchanges or wallet services. These emails may contain malware bearing links designed to infect any cryptocurrency wallets present on an individual’s computer.
This type of malware has been known to re-route transfers of cryptocurrencies to software wallets controlled by hackers.
BitMEX advises affected persons to be careful about assuring the authenticity of any apparent communiqués from crypto businesses.
The exposed email addresses could also help hackers execute a SIM-swap attack and take over a BitMEX user’s cellphone, then use those phone to access financial and other accounts.
A Twitter user called “WhalePanda” is claiming that the list of BitMEX customers exposed in the email is already being used for, “referral link shilling…because its (sic) a list of degenerate gamblers.”
“Degenerate gamblers” refers to a time when BitMEX CEO and co-founder Arthur Hayes was caught on tape jokingly using the phrase to refer to retail investors on BitMEX.
A BitMEX hack group has apparently already emerged on Telegram…
There is a Bitmex hack group on telegram already. They claim be cracking emails, have 113 bitcoin already and laughing at people who have profiles on dating sites with same email they have for exchanges pic.twitter.com/Nf9L0FILcj
— Ameero (@ameero1) November 1, 2019
Another Twitter user is claiming to have located 229 passwords corresponding to exposed BitMEX user emails:
As well, an Twitter account called Bitmexdatabaseleak says, “I have over 400,000 emails and IDs.”
The account names several high-profile crypto personages and taunts them asking whether they paid taxes on their crypto gains: