Cryptocurrency exchange BitMEX has exposed the email addresses of 23,000 customers after sending out an email with the emails of the recipients in the cc: field.
The email addresses were exposed when the exchange sent out its weekly newsletter, immediately causing concern among its users given that the emails could be targeted by malicious actors.
BitMEX confirmed the data breach, saying in a statement Friday that it was aware that some of its users have received a general user update email that contained the email addresses of other users.
“Our team have acted immediately to contain the issue and we are taking steps to understand the extent of the impact,” the statement adds. “Rest assured that we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue.”
The exposure of the emails opens up anyone on the list to spam, phishing attempts and, although it didn’t include passwords, attempts to obtain access to their accounts.
The use of common passwords is one obvious door to access. Hackers can match email addresses leaked by BitMEX to lists of previously hacked credentials then attempt to use the passwords they identify to gain access to BitMEX accounts.
Phishing attempts are a real risk given that the BitMEX leak confirms that the email addresses belong to BitMEX users.
The timing isn’t great for BitMEX. It’s under investigation by the U.S. Commodity Futures Trading Commission for providing services to U.S. citizens while not licensed to do so. According to Larry Cermak, director of research at The Block, some of the leaked emails include those from the U.S.
UPDATE: I now have access to 23,000 emails that were leaked by BitMEX. Surprisingly, there is only one person that used a .gov email. There were 66 students/alumni that used .edu email. NYU dominates (7 people), followed by Berkley, and University of Michigan. https://t.co/vmcyVz5Uqe
— Larry Cermak (@lawmaster) November 2, 2019
Dovey Wan, the co-founder of Primitive Crypto, noted that it may expose those on the list to attention from the U.S. Internal Revenue Service as well.
gonna be a interesting “Ashely Madison” like case for the Bitmex email leaks ..
Anybody using .gov email or .edu email? ??? and nice source of tax collection pointer for IRS too if they do a quick scan
— Dovey 以德服人 Wan ? ? (@DoveyWan) November 1, 2019
There is very little users can do other than to make sure they’re not using the same password across multiple sites, starting with BitMEX itself.
Image: Marco Verch/Flickr
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.