[2019-11-03] BitMEX Exposes User Emails In Data Leak

[bbc.reporter]

Many people complain why the SEC does not take the development of the cryptospace industry so seriously. As an industry, it might be perceived by the SEC as a little naive boy trying to make it in a grown man's world hehe.



BitMEX has experienced a data leak, but not in the way you might expect. In a major misstep, the company accidentally shared user email addresses with its customers.

On November 1st, the exchange issued a statement: “Earlier today, some of our users received an email which contained the email addresses of other users in the ‘to’ field.”

Though BitMEX has blamed the leak on a “software issue,” human error may be involved. Most likely, an employee misused the email software’s “carbon copy” field.

Email addresses alone cannot be used to access BitMEX accounts. However, attackers could gather passwords and recovery info by phishing users or searching the dark web.

Larry Cermak of TheBlock predicts that this will be one outcome of the data leak: “Get ready for constant phishing attempts and emails from competitors,” he writes.

In addition to the risk of phishing, he added that user identities could be revealed. “I’d say more than 50% of emails are trivially easy to doxx,” he posted on Twitter.

The risk is not isolated to BitMEX, since many people use one email address for multiple sites. Binance and OKEx have suggested users update their security settings as well.

Read in full https://cryptobriefing.com/bitmex-user-emails-data-leak-twitter-hack/

[1714796511]

1714796511

[1714796511]

1714796511

[1714796511]

1714796511

[CryptoBry]

Many people complain why the SEC does not take the development of the cryptospace industry so seriously. As an industry, it might be perceived by the SEC as a little naive boy trying to make it in a grown man's world hehe.

I would not say that this same huge mistake never happened with other platforms in other industries but people in BitMEX should have known better how sensitive are the information under their own care. Showing some stupidity by ignoring some security measures in handling a simple case of sending email and sharing important data can be a form of a big concern for the whole industry. Indeed, this act alone lacks the kind of maturity that we should be expected by now with different platforms working for an in the cryptocurrency industry.

And if this case happened with a reputable exchange like BitMEX, how can we expect that other smaller exchanges will not be making similar stupid mistakes? And should there be a big penalty that should be imposed for a player like BitMEX in this case? Indeed, this is like a little boy playing with matches and pretending that he is old enough not to cause a fire.

[Harlot]

Even though this was an internal error from the start a data leak from their part is something not to fly by with since data is still leaked and it got into the wrong hands or at least people have read some info which are not meant for them. If you are asking for the support of the SEC for some kind of enforcement into businesses related to the crypto industry I think they are doing a bad job at it. The "development" on their end only means KYC  enforcement and AML compliance all of which just relate to avoiding crimes happening in the industry. But what us people really want is the enforcement of data protection and security for out assets not to be hacked or obtain illegally by other people, if they really do want to support our industry then they should step up on this fields as well.

[darkangel11]

Looks like an employee mistake. Somebody's gonna get fired.

It's really very easy to dox emails and then use the information for phishing attempts. Many of these people will fall for it when they get their real name and exchange username emailed back to them with a request to change the password due to a recent database leak. Even if one per 100 people emails back it's still worth it. And think of all the trojans that are going to be emailed to them. If my email was among those leaked I'd already have a new one and consider that one burned.

[squatter]

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address.

I wonder what percentage of their customer base had their info leaked. Some BitMEX customers are reporting that they didn't receive the email in question.

Larry Cermak puts the total at "more than 30,000 unique emails." That's a nice freebie for competing platforms.

[rodel caling]

I would not say that this same huge mistake never happened with other platforms in other industries but people in BitMEX should have known better how sensitive are the information under their own care. Showing some stupidity by ignoring some security measures in handling a simple case of sending email and sharing important data can be a form of a big concern for the whole industry. Indeed, this act alone lacks the kind of maturity that we should be expected by now with different platforms working for an in the cryptocurrency industry.

And if this case happened with a reputable exchange like BitMEX, how can we expect that other smaller exchanges will not be making similar stupid mistakes? And should there be a big penalty that should be imposed for a player like BitMEX in this case? Indeed, this is like a little boy playing with matches and pretending that he is old enough not to cause a fire.
[/quote]



Yeah your really right mate, this big mistakes how people they lost their reputable, email address of each single users is very important and private. This mistakes users of Bitmex is very affected the security of their other account is in danger. Hope never happen again this scenario to other exchange.

[1Referee]

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address.

Then I must have been one lucky mofo because I managed to successfully change my email address without ID requirement.

Letting it all sink in, this might even be an attempt to get people to verify themselves so that they won't be booted off their platform whenever kyc verification becomes mandatory. It's only a matter of time before they go full kyc, so leveraging this event is quite an effective route to accomplish that.

A lot services nowadays sucker in their non-verified users to claim like $20 in shitcoins, but in order to claim they first have to verify their ID. Bitmex however doesn't want to spend a penny.

[bbc.reporter]

Many people complain why the SEC does not take the development of the cryptospace industry so seriously. As an industry, it might be perceived by the SEC as a little naive boy trying to make it in a grown man's world hehe.

I would not say that this same huge mistake never happened with other platforms in other industries but people in BitMEX should have known better how sensitive are the information under their own care. Showing some stupidity by ignoring some security measures in handling a simple case of sending email and sharing important data can be a form of a big concern for the whole industry. Indeed, this act alone lacks the kind of maturity that we should be expected by now with different platforms working for an in the cryptocurrency industry.

And if this case happened with a reputable exchange like BitMEX, how can we expect that other smaller exchanges will not be making similar stupid mistakes? And should there be a big penalty that should be imposed for a player like BitMEX in this case? Indeed, this is like a little boy playing with matches and pretending that he is old enough not to cause a fire.

Also, consider the hacks and the stolen coins. It is the incompetent exchanges themselves giving the regulators a reason to implement what they want to avoid. Strict regulations.

[squatter]

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address.

Then I must have been one lucky mofo because I managed to successfully change my email address without ID requirement.

Letting it all sink in, this might even be an attempt to get people to verify themselves so that they won't be booted off their platform whenever kyc verification becomes mandatory. It's only a matter of time before they go full kyc, so leveraging this event is quite an effective route to accomplish that.

I could be mistaken about that. I've never used BitMEX myself. I was just going off that Twitter thread, where Larry Cermak said this:

What's perhaps the most ridiculous is that BitMEX is currently requiring users to complete an ID verification in order to change their email address. No idea why. I'd recommend just burning that account and starting a new one with a burner email.

But if it is indeed a new requirement, you might be right. That's a pretty grimy move by BitMEX if so.

[Kyraishi]

Looks like an employee mistake. Somebody's gonna get fired.

Not sure if it is a real employee's mistake. It looks like it's an issue with their servers, and I don't think someone would be dumb enough to just dox a bunch of emails. If he/she was though, god damn, I would not like to be him, don't think there is any way they keep their jobs.

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address.

I wonder what percentage of their customer base had their info leaked. Some BitMEX customers are reporting that they didn't receive the email in question.

Larry Cermak puts the total at "more than 30,000 unique emails." That's a nice freebie for competing platforms.

I guess this does make sense though, there is definelty going to some hackers that are using these emails and trying to exploit them in order to obtain access to these accounts.

[Saint-loup]

Looks like an employee mistake. Somebody's gonna get fired.

Not sure if it is a real employee's mistake. It looks like it's an issue with their servers, and I don't think someone would be dumb enough to just dox a bunch of emails. If he/she was though, god damn, I would not like to be him, don't think there is any way they keep their jobs.

No it's really a human mistake, according to them they wanted to adapt their existing software to be able to send the mailing more quickly but they didn't test it before using it.

To remedy this, we built an in-house system to handle the necessary rendering, translation, staging, and piecemeal (as not to trigger rate limits) sending of important email. BitMEX has not sent an email to every customer at once since 2017, and much has changed since then. When we initiated the send, it became clear that it would take upwards of 10 hours to complete, and there was a desire on the team to ensure users received the same material information on a more reasonable timescale.

To handle this, the tool was quickly rewritten to send single SendGrid API calls in batches of 1,000 addresses. Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses. As soon as we became aware, we immediately prevented further emails from being sent and have addressed the root cause. Since then we have been aiding all who have been affected as best we can and mitigating the damage to contain the leak.

And no, nobody seems to have been fired.

BitMEX is a company that takes engineering seriously, and we are disappointed that this lapse in care has resulted in unwanted disclosure for our customers. We believe that processes, not engineers, are to blame for these failures. Our processes failed here. We are working around-the-clock to revamp them and to ensure that even the simplest-looking code changes are put under strict review.

https://blog.bitmex.com/email-privacy-issue-what-is-happening-and-how-can-we-help/

[magneto]

Yeah, these little events definitely may contribute to the public and any regulator's perception of the cryptospace being something that is largely unsecured and amateurish in terms of protecting users.

From an individual standpoint though, all this shows is the importance of switching up your emails when you sign up to different sites.

That way, if one site does get hacked, you don't need to reset every single password on different sites in order to protect yourself. It's a lot more secure, and convenient when things go south.

[BitHodler]

From an individual standpoint though, all this shows is the importance of switching up your emails when you sign up to different sites.

That way, if one site does get hacked, you don't need to reset every single password on different sites in order to protect yourself. It's a lot more secure, and convenient when things go south.

People are too lazy for that. I see it happen quite frequently that faucets or some other low level sites get hacked where their database ends up being sold on the darknet market.

The same email address they registered their account with on a faucet site, is the same email address they use for Facebook, their main fiat exchange, and so on.... plenty of value to extract for hackers there.

[hotmom]

Bitmex must solve this problem as soon as possible, otherwise the situation will only get worse.

[Theb]

Yeah, these little events definitely may contribute to the public and any regulator's perception of the cryptospace being something that is largely unsecured and amateurish in terms of protecting users.

From an individual standpoint though, all this shows is the importance of switching up your emails when you sign up to different sites.

That way, if one site does get hacked, you don't need to reset every single password on different sites in order to protect yourself. It's a lot more secure, and convenient when things go south.

A hack or an internal issue that resulted to data leakage won't simply translate to the "cryptospace" being unsecured not unless the crypto news websites would inflate their news again. BitMex already admitted their carelessness here and I assume that the regulators/authorities would simply try to change their enforcement or process when it comes to security and data protection for businesses related to the industry just like what Japan has been trying to do for several years now. Of course what they want is the continuity of the industry and they will try their best for their citizens to keep it as safe and secure possible for them and for their hard earned money.

[bbc.reporter]

News update.

There are scammers and hackers have begun attacking Bitmex users from the leaked emails through phishing attacks.



It now looks like scammers are taking advantage of the readily available, and obviously crypto-literate, BitMEX users’ details. A Reddit user reported an example of a scam supposedly associated with the leak. The user claims to have received a message claiming to be from Blockchain.com. It asks that the potential victim follow a link to receive a payment. However, the link reportedly directs to the site blockchainain.com, and download malware.

Source https://www.newsbtc.com/2019/11/11/bitmex-crypto-traders-targeted-by-phishing-scams-what-the-attacks-look-like/

[magneto]

A hack or an internal issue that resulted to data leakage won't simply translate to the "cryptospace" being unsecured not unless the crypto news websites would inflate their news again. BitMex already admitted their carelessness here and I assume that the regulators/authorities would simply try to change their enforcement or process when it comes to security and data protection for businesses related to the industry just like what Japan has been trying to do for several years now. Of course what they want is the continuity of the industry and they will try their best for their citizens to keep it as safe and secure possible for them and for their hard earned money.

Absolutely. But the point here is that news sites will sensationalise things so much that something as minor as a website hack will be attributed to the lack of regulation in the entire cryptospace or whatnot.

It's unfair, really.

They're placing so much emphasis on this, yet ignoring countless credit card frauds every day.

[milewilda]

News update.

There are scammers and hackers have begun attacking Bitmex users from the leaked emails through phishing attacks.

It now looks like scammers are taking advantage of the readily available, and obviously crypto-literate, BitMEX users’ details. A Reddit user reported an example of a scam supposedly associated with the leak. The user claims to have received a message claiming to be from Blockchain.com. It asks that the potential victim follow a link to receive a payment. However, the link reportedly directs to the site blockchainain.com, and download malware.

Source https://www.newsbtc.com/2019/11/11/bitmex-crypto-traders-targeted-by-phishing-scams-what-the-attacks-look-like/

Scammers doesnt get tired on making new types of phishing.This one is quite catchy yet it do really looks like original came from blockchain.com
but if you are really that paranoid in terms of hacking/scam then you wont easily fall into the trap.Just simply looking and think a second or two,
that theres a payment received which you didnt even make any withdrawals or expecting a payment from others.