Sep 12, 2020
Last Friday, Bitcoin exchange BitMEX accidentally revealed thousands of its users’ email addresses by using carbon copy in multiple emails sent out to its user base. But it was unknown just how many users were affected, and if any more details were revealed.
In an update today, BitMEX deputy-COO Vivien Khoo, clarified that, “Most BitMEX users were affected by this action.”
The exchange provided more information as to how the mistake was made. It said that it created an in-house system to handle the sending out of emails but hadn’t sent an email to its entire user base since 2017. Initially, it realized the email would take 10 hours to send with its current processes, so it quickly rewrote some code to send it out in batches. However, the code was not reviewed and put the majority of emails in the “To” field, exposing them to other users receiving the same email.
This is problematic since many users use the same emails for multiple exchanges, meaning that attackers may try to impersonate them and gain access to their funds on other exchanges. One Twitter user pointed out that over 200 of the emails were associated with known passwords, meaning that attackers may have enough data to log into some of the users’ accounts—if they don’t have additional security measures in place. Following the leak, rival exchange Binance duly warned users to change the email address they use to log in, if they use the same email address to log into both Binance and BitMEX.
Khoo added, “Beyond email addresses, no personal or account information has been disclosed. At no point were any of our core systems at risk.”