[2019-11-03] BitMEX Exposes User Emails In Data Leak

milewilda

legendary

Activity: 3094

Merit: 1127

Quote from: bbc.reporter on November 11, 2019, 09:35:47 PM

News update.

There are scammers and hackers have begun attacking Bitmex users from the leaked emails through phishing attacks.

It now looks like scammers are taking advantage of the readily available, and obviously crypto-literate, BitMEX users’ details. A Reddit user reported an example of a scam supposedly associated with the leak. The user claims to have received a message claiming to be from Blockchain.com. It asks that the potential victim follow a link to receive a payment. However, the link reportedly directs to the site blockchainain.com, and download malware.

Source https://www.newsbtc.com/2019/11/11/bitmex-crypto-traders-targeted-by-phishing-scams-what-the-attacks-look-like/

Scammers doesnt get tired on making new types of phishing.This one is quite catchy yet it do really looks like original came from blockchain.com
but if you are really that paranoid in terms of hacking/scam then you wont easily fall into the trap.Just simply looking and think a second or two,
that theres a payment received which you didnt even make any withdrawals or expecting a payment from others.

magneto

hero member

Activity: 1666

Merit: 753

Quote from: Theb on November 10, 2019, 01:11:23 PM

A hack or an internal issue that resulted to data leakage won't simply translate to the "cryptospace" being unsecured not unless the crypto news websites would inflate their news again. BitMex already admitted their carelessness here and I assume that the regulators/authorities would simply try to change their enforcement or process when it comes to security and data protection for businesses related to the industry just like what Japan has been trying to do for several years now. Of course what they want is the continuity of the industry and they will try their best for their citizens to keep it as safe and secure possible for them and for their hard earned money.

Absolutely. But the point here is that news sites will sensationalise things so much that something as minor as a website hack will be attributed to the lack of regulation in the entire cryptospace or whatnot.

It's unfair, really.

They're placing so much emphasis on this, yet ignoring countless credit card frauds every day.

bbc.reporter

legendary

Activity: 3010

Merit: 1460

News update.

There are scammers and hackers have begun attacking Bitmex users from the leaked emails through phishing attacks.

It now looks like scammers are taking advantage of the readily available, and obviously crypto-literate, BitMEX users’ details. A Reddit user reported an example of a scam supposedly associated with the leak. The user claims to have received a message claiming to be from Blockchain.com. It asks that the potential victim follow a link to receive a payment. However, the link reportedly directs to the site blockchainain.com, and download malware.

Source https://www.newsbtc.com/2019/11/11/bitmex-crypto-traders-targeted-by-phishing-scams-what-the-attacks-look-like/

Theb

hero member

Activity: 1680

Merit: 655

Quote from: magneto on November 04, 2019, 03:09:12 PM

Yeah, these little events definitely may contribute to the public and any regulator's perception of the cryptospace being something that is largely unsecured and amateurish in terms of protecting users.

From an individual standpoint though, all this shows is the importance of switching up your emails when you sign up to different sites.

That way, if one site does get hacked, you don't need to reset every single password on different sites in order to protect yourself. It's a lot more secure, and convenient when things go south.

A hack or an internal issue that resulted to data leakage won't simply translate to the "cryptospace" being unsecured not unless the crypto news websites would inflate their news again. BitMex already admitted their carelessness here and I assume that the regulators/authorities would simply try to change their enforcement or process when it comes to security and data protection for businesses related to the industry just like what Japan has been trying to do for several years now. Of course what they want is the continuity of the industry and they will try their best for their citizens to keep it as safe and secure possible for them and for their hard earned money.

hotmom

jr. member

Activity: 69

Merit: 2

Bitmex must solve this problem as soon as possible, otherwise the situation will only get worse.

BitHodler

legendary

Activity: 1526

Merit: 1179

Quote from: magneto on November 04, 2019, 03:09:12 PM

From an individual standpoint though, all this shows is the importance of switching up your emails when you sign up to different sites.

That way, if one site does get hacked, you don't need to reset every single password on different sites in order to protect yourself. It's a lot more secure, and convenient when things go south.

People are too lazy for that. I see it happen quite frequently that faucets or some other low level sites get hacked where their database ends up being sold on the darknet market.

The same email address they registered their account with on a faucet site, is the same email address they use for Facebook, their main fiat exchange, and so on.... plenty of value to extract for hackers there.

magneto

hero member

Activity: 1666

Merit: 753

Yeah, these little events definitely may contribute to the public and any regulator's perception of the cryptospace being something that is largely unsecured and amateurish in terms of protecting users.

From an individual standpoint though, all this shows is the importance of switching up your emails when you sign up to different sites.

That way, if one site does get hacked, you don't need to reset every single password on different sites in order to protect yourself. It's a lot more secure, and convenient when things go south.

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: Kyraishi on November 03, 2019, 09:35:51 PM

Quote from: darkangel11 on November 03, 2019, 02:27:34 PM

Looks like an employee mistake. Somebody's gonna get fired.

Not sure if it is a real employee's mistake. It looks like it's an issue with their servers, and I don't think someone would be dumb enough to just dox a bunch of emails. If he/she was though, god damn, I would not like to be him, don't think there is any way they keep their jobs.

No it's really a human mistake, according to them they wanted to adapt their existing software to be able to send the mailing more quickly but they didn't test it before using it.

Quote

To remedy this, we built an in-house system to handle the necessary rendering, translation, staging, and piecemeal (as not to trigger rate limits) sending of important email. BitMEX has not sent an email to every customer at once since 2017, and much has changed since then. When we initiated the send, it became clear that it would take upwards of 10 hours to complete, and there was a desire on the team to ensure users received the same material information on a more reasonable timescale.

To handle this, the tool was quickly rewritten to send single SendGrid API calls in batches of 1,000 addresses. Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses. As soon as we became aware, we immediately prevented further emails from being sent and have addressed the root cause. Since then we have been aiding all who have been affected as best we can and mitigating the damage to contain the leak.

And no, nobody seems to have been fired.

Quote

BitMEX is a company that takes engineering seriously, and we are disappointed that this lapse in care has resulted in unwanted disclosure for our customers. We believe that processes, not engineers, are to blame for these failures. Our processes failed here. We are working around-the-clock to revamp them and to ensure that even the simplest-looking code changes are put under strict review.

https://blog.bitmex.com/email-privacy-issue-what-is-happening-and-how-can-we-help/

Kyraishi

hero member

Activity: 952

Merit: 513

Quote from: darkangel11 on November 03, 2019, 02:27:34 PM

Looks like an employee mistake. Somebody's gonna get fired.

Not sure if it is a real employee's mistake. It looks like it's an issue with their servers, and I don't think someone would be dumb enough to just dox a bunch of emails. If he/she was though, god damn, I would not like to be him, don't think there is any way they keep their jobs.

Quote from: squatter on November 03, 2019, 03:34:20 PM

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address. Roll Eyes

I wonder what percentage of their customer base had their info leaked. Some BitMEX customers are reporting that they didn't receive the email in question.

Larry Cermak puts the total at "more than 30,000 unique emails." That's a nice freebie for competing platforms.

I guess this does make sense though, there is definelty going to some hackers that are using these emails and trying to exploit them in order to obtain access to these accounts.

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Quote from: 1Referee on November 03, 2019, 07:13:03 PM

Quote from: squatter on November 03, 2019, 03:34:20 PM

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address. Roll Eyes

Then I must have been one lucky mofo because I managed to successfully change my email address without ID requirement.

Letting it all sink in, this might even be an attempt to get people to verify themselves so that they won't be booted off their platform whenever kyc verification becomes mandatory. It's only a matter of time before they go full kyc, so leveraging this event is quite an effective route to accomplish that.

I could be mistaken about that. I've never used BitMEX myself. I was just going off that Twitter thread, where Larry Cermak said this:

Quote

What's perhaps the most ridiculous is that BitMEX is currently requiring users to complete an ID verification in order to change their email address. No idea why. I'd recommend just burning that account and starting a new one with a burner email.

But if it is indeed a new requirement, you might be right. That's a pretty grimy move by BitMEX if so.

bbc.reporter

legendary

Activity: 3010

Merit: 1460

Quote from: CryptoBry on November 02, 2019, 09:03:26 PM

Quote from: bbc.reporter on November 02, 2019, 07:34:13 PM

Many people complain why the SEC does not take the development of the cryptospace industry so seriously. As an industry, it might be perceived by the SEC as a little naive boy trying to make it in a grown man's world hehe.

I would not say that this same huge mistake never happened with other platforms in other industries but people in BitMEX should have known better how sensitive are the information under their own care. Showing some stupidity by ignoring some security measures in handling a simple case of sending email and sharing important data can be a form of a big concern for the whole industry. Indeed, this act alone lacks the kind of maturity that we should be expected by now with different platforms working for an in the cryptocurrency industry.

And if this case happened with a reputable exchange like BitMEX, how can we expect that other smaller exchanges will not be making similar stupid mistakes? And should there be a big penalty that should be imposed for a player like BitMEX in this case? Indeed, this is like a little boy playing with matches and pretending that he is old enough not to cause a fire.

Also, consider the hacks and the stolen coins. It is the incompetent exchanges themselves giving the regulators a reason to implement what they want to avoid. Strict regulations.

1Referee

legendary

Activity: 2170

Merit: 1427

Quote from: squatter on November 03, 2019, 03:34:20 PM

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address. Roll Eyes

Then I must have been one lucky mofo because I managed to successfully change my email address without ID requirement.

Letting it all sink in, this might even be an attempt to get people to verify themselves so that they won't be booted off their platform whenever kyc verification becomes mandatory. It's only a matter of time before they go full kyc, so leveraging this event is quite an effective route to accomplish that.

A lot services nowadays sucker in their non-verified users to claim like $20 in shitcoins, but in order to claim they first have to verify their ID. Bitmex however doesn't want to spend a penny.

rodel caling

full member

Activity: 952

Merit: 104

I would not say that this same huge mistake never happened with other platforms in other industries but people in BitMEX should have known better how sensitive are the information under their own care. Showing some stupidity by ignoring some security measures in handling a simple case of sending email and sharing important data can be a form of a big concern for the whole industry. Indeed, this act alone lacks the kind of maturity that we should be expected by now with different platforms working for an in the cryptocurrency industry.

And if this case happened with a reputable exchange like BitMEX, how can we expect that other smaller exchanges will not be making similar stupid mistakes? And should there be a big penalty that should be imposed for a player like BitMEX in this case? Indeed, this is like a little boy playing with matches and pretending that he is old enough not to cause a fire.
[/quote]

Yeah your really right mate, this big mistakes how people they lost their reputable, email address of each single users is very important and private. This mistakes users of Bitmex is very affected the security of their other account is in danger. Hope never happen again this scenario to other exchange.

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

In an obnoxious turn of events, BitMEX is requiring users to verify ID in order to change their email address. Roll Eyes

I wonder what percentage of their customer base had their info leaked. Some BitMEX customers are reporting that they didn't receive the email in question.

Larry Cermak puts the total at "more than 30,000 unique emails." That's a nice freebie for competing platforms.

darkangel11

legendary

Activity: 2296

Merit: 1335

Don't let others control your BTC -> self custody

Looks like an employee mistake. Somebody's gonna get fired.

It's really very easy to dox emails and then use the information for phishing attempts. Many of these people will fall for it when they get their real name and exchange username emailed back to them with a request to change the password due to a recent database leak. Even if one per 100 people emails back it's still worth it. And think of all the trojans that are going to be emailed to them. If my email was among those leaked I'd already have a new one and consider that one burned.

Harlot

hero member

Activity: 1806

Merit: 672

Even though this was an internal error from the start a data leak from their part is something not to fly by with since data is still leaked and it got into the wrong hands or at least people have read some info which are not meant for them. If you are asking for the support of the SEC for some kind of enforcement into businesses related to the crypto industry I think they are doing a bad job at it. The "development" on their end only means KYC enforcement and AML compliance all of which just relate to avoiding crimes happening in the industry. But what us people really want is the enforcement of data protection and security for out assets not to be hacked or obtain illegally by other people, if they really do want to support our industry then they should step up on this fields as well.

CryptoBry

sr. member

Activity: 1008

Merit: 355

Quote from: bbc.reporter on November 02, 2019, 07:34:13 PM

Many people complain why the SEC does not take the development of the cryptospace industry so seriously. As an industry, it might be perceived by the SEC as a little naive boy trying to make it in a grown man's world hehe.

I would not say that this same huge mistake never happened with other platforms in other industries but people in BitMEX should have known better how sensitive are the information under their own care. Showing some stupidity by ignoring some security measures in handling a simple case of sending email and sharing important data can be a form of a big concern for the whole industry. Indeed, this act alone lacks the kind of maturity that we should be expected by now with different platforms working for an in the cryptocurrency industry.

And if this case happened with a reputable exchange like BitMEX, how can we expect that other smaller exchanges will not be making similar stupid mistakes? And should there be a big penalty that should be imposed for a player like BitMEX in this case? Indeed, this is like a little boy playing with matches and pretending that he is old enough not to cause a fire.

bbc.reporter

legendary

Activity: 3010

Merit: 1460

Many people complain why the SEC does not take the development of the cryptospace industry so seriously. As an industry, it might be perceived by the SEC as a little naive boy trying to make it in a grown man's world hehe.

BitMEX has experienced a data leak, but not in the way you might expect. In a major misstep, the company accidentally shared user email addresses with its customers.

On November 1st, the exchange issued a statement: “Earlier today, some of our users received an email which contained the email addresses of other users in the ‘to’ field.”

Though BitMEX has blamed the leak on a “software issue,” human error may be involved. Most likely, an employee misused the email software’s “carbon copy” field.

Email addresses alone cannot be used to access BitMEX accounts. However, attackers could gather passwords and recovery info by phishing users or searching the dark web.

Larry Cermak of TheBlock predicts that this will be one outcome of the data leak: “Get ready for constant phishing attempts and emails from competitors,” he writes.

In addition to the risk of phishing, he added that user identities could be revealed. “I’d say more than 50% of emails are trivially easy to doxx,” he posted on Twitter.

The risk is not isolated to BitMEX, since many people use one email address for multiple sites. Binance and OKEx have suggested users update their security settings as well.

Read in full https://cryptobriefing.com/bitmex-user-emails-data-leak-twitter-hack/

Topic: [2019-11-03] BitMEX Exposes User Emails In Data Leak (Read 266 times)