BitMEX, a Bitcoin mercantile exchange that also happens to be one of the largest crypto derivatives markets, might have exposed their entire userbase by forgetting to use the blind carbon copy (bcc) option in the header when sending an email to its customers about a recent update in its services.
The bcc option ensures that one recipient cannot know who the other recipients are. Instead of using this safe option, plain carbon copy option was accidentally chosen to send the email. This means that BitMEX has dumped their entire user database and mistakenly passed on an essential identifier (email address) to the hackers who are prowling around the clock for such leakages.
The fact that email addresses of thousands of customers are out there in the open for anyone to see means that the crypto exchange’s users can now be easily targeted for attacks such as phishing where a malicious hacker sends an email to innocent victims and convinces them that they are a trusted third party. In doing so, important private information can be manipulatively retrieved from the users, causing them significant financial harm.
In a response post, BitMEX acknowledged that the leak had indeed taken place. The blog post said that investigation is underway to understand the extent of the impact of the leakage. Affected users were ensured that BitMEX would stay connected to them and update them on any responsive action. The post concluds by stating, “The privacy of our users is a top priority and we are very sorry for the concern this has caused to our users.”
Criticism from the Crypto Community
Some crypto experts are saying that the entire database of BitMEX has been dumped with this mishap. Each user who received the email can look at 1,000 other email addresses. In this way, it is convenient to unionize all the subsets of the database to recreate the entire set. This is goldmine for attackers.
Jake Chervinsky, a lawyer by profession who focuses on crypto technology, said in a tweet that the accidental leak was managed “in the most outrageously incompetent way imaginable.”
While BitMEX claims to be investigating the repercussions of the leak, many industrial services can be affected by the leak. Any user who is member of BitMEX subscription and has also joined other services is at the risk of having both accounts compromised. Interestingly, Binance (another prominent cryptocurrency exchange) has asked its users who are also customers of BitMEX to change their profile information and shift to alternative accounts.