Australia’s crypto exchange, BTC Markets data breach

[Charles-Tim]

Early on Tuesday morning, an Australian cryptocurrency exchange (BTC Markets) that bills itself as the largest in the country inadvertently exposed more than 270,000 of its members names and email addresses. BTC Markets issued a statement acknowledging that the company had breached the privacy of its customers and apologised for the situation. “Earlier today, an announcement from BTC Markets exposed client names and email addresses.

According to the BTC Markets, the company uses an external email system to send out updates to its customers. In the process of sending out correspondence, the company’s customers’ names and emails were included in the ‘to’ section of emails, rather than being blind carbon copied or individually addressed.

The privacy breach threatens the security of the BTC Markets user base. The exchange uses a user’s email address as their login. Further, anyone with a list of users could use that information to guide phishing attempts.

https://www.businessinsider.com.au/btc-market-cryptocurrency-privacy-breach-2020-12
Although, it was reported that the exchange was not affected but possibly this data breach might lead or might have led to phishing attacks or attempts on the exchange users, what about people that did not make use of 2fa? Their accounts are vulnerable at that moment. It is good to make use of 2fa which could have helped some people. But, the best advice is to never leave your funds/bitcoin on exchanges because they are not secure and safe by design.

[jackg]

This is the same as what happened with bitmex..

I'm guessing this wasn't a hack either, and likely an employee "mistake".

Anyway there will be a large list going round now from both of those attacks (I imagine) and this one looks to have hit all users rather than the bitmex one just being for Newsletter followers.

If you're a member of that exchange it's pribably a good idea just to add anything you don't recognise to your spam folder and not to open, enable images, download anything or click links in it.

[Coyster]

According to the BTC Markets, the company uses an external email system to send out updates to its customers. In the process of sending out correspondence, the company’s customers’ names and emails were included in the ‘to’ section of emails, rather than being blind carbon copied or individually addressed.

Imo this is a somewhat very silly mistake, that could later, sometime 'down the road' cost someone their funds, I think this exchange should know better to avoid such mistakes, that's the thing with centralized establishments in crypto, you can't entirely trust them, that's why you should always remember to be your own bank and store your funds either in a hw wallet or in a wallet that you alone have the private keys, and never on an exchange.

Having said that, if you use that exchange, avoid clicking random links even if they look legit and verify any information or message you receive going forward, and mind you that despite the fact that this data is already in the black market, the phishing attempts may not start immediately, it could be after many months, so don't only stay vigilant for a while, but always be.

[Becky666]

That was a blunder error committed by that mails sender. They should as a matter of urgency notify their esteem customers to immediately implement 2fa in their account as there might be something big fishing under the exchange soon. Things like this shouldn't be handle with levity, becasue it may lead to a huge data breach when these information fall into the wrong hands. IMHO, the sender of these mails should be held responsible becasue he/she gave the room for the hackers to respond.

[Charles-Tim]

That was a blunder error committed by that mails sender. They should as a matter of urgency notify their esteem customers to immediately implement 2fa in their account as there might be something big fishing under the exchange soon. Things like this shouldn't be handle with levity, becasue it may lead to a huge data breach when these information fall into the wrong hands. IMHO, the sender of these mails should be held responsible becasue he/she gave the room for the hackers to respond.

I just did not included it in the news to make my points clearer, the exchange take immediate action which although might not be sufficient enough.

BTC Markets said they will report the breach to the Office of the Australian Information Commissioner, conduct and internal review and step up the security measures around user’s details.

The company also advised its users to use two-factor authentication for their BTC Markets account to secure their accounts, and directly contacted all their users to inform them of the breach
https://www.businessinsider.com.au/btc-market-cryptocurrency-privacy-breach-2020-12

[Lucius]

This has happened and will continue to happen because people are, as it always turns out, the weakest link in any security chain. Personally, it's silly of me to discuss 2FA in the way that someone advises someone that they should use it - when such things should be mandatory. Although 2FA does not guarantee 100% security of user accounts, it still makes it difficult for hackers to compromise such accounts - and in this case, it would be wiser to completely change the e-mail to prevent anyone from trying to reset the exchange password via e-mail.

Either way, the company's reputation has been irreversibly damaged - and it may be an opportunity for a new market player to attract dissatisfied customers.

[dzungmobile]

Email breach is bad but people will be fine if they have some healthy habits

Use strong password for email.
Have 2FA for email.
Don't click on any link they receive in emails or on any other channels.
Don't use same password for all platforms, all accounts.
Have 2FA is on for their accounts.
Don't store password, 2FA secret code on online storage service.

Personally, I use my secondary email for getting experience on new services, platforms and do it on the computer I don't store my Bitcoin wallet.

[GrinZ]

It is actually sad that users do not take the necessary security measures and such events occur as a result. Maybe the error is caused by the stock exchange itself, we cannot know that, but it will be difficult to compensate for the loss of reputation.

[DdmrDdmr]

<…>

The depicted events in the OP have nothing to do with personal security. The Exchange (or one of it’s hired service providers for email campaign management) screwed-up, and even though they allegedly did run a sample test beforehand, nobody detected de parametrization error (or made the error when switching to the complete file to process, as opposed to the test one). Normally, they will pay tight attention to reviewing the content of the email being generated, but someone missed the information in the actual "sent to" field at some point. Simple yet dramatic error that will end with someone’s balls on a silver platter for sure.

See running conversation: https://twitter.com/BTCMarkets/status/1333667467823116288

[kano]

On their "Protect Yourself Against Cybercrime" page,
https://www.btcmarkets.net/protect-yourself-online
They forgot to add: "Don't use our web site" ...