BitMEX Compromises User Data in Email Gaffe
Early in the day on November 1, 2019, cryptocurrency exchange BitMEX sent a mass email to a large swath of its user base and included their email addresses in the “To” field, thereby compromising their privacy.
A screenshot of the email shared on Twitter showed dozens of email addresses visible in an email from BitMEX. The exchange has indicated that the email was a general user update.
“We are aware that some of our users have received a general user update email earlier today, which contained the email addresses of other users,” the exchange wrote in a statement on its blog. “Rest assured we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue.”
Vivien Khoo, deputy COO of BitMex, explained to The Block that the email was sent to “the majority” of the exchange’s users and traced the cause to “an error in the software script used to send the emails.”
But in a similar event that may suggest a larger issue, it appeared that BitMEX’s Twitter account was compromised around the same time that the email was sent. BitMEX’s official Twitter account posted “Take your BTC and run. Last day for withdrawals,” according to an archived tweet that has since been deleted.
Shortly afterward, the account tweeted a message meant to reassure users that their funds were safe, blaming “trolls” for the confusion.
Are BitMEX Users Vulnerable?
As many respondents have pointed out, trusting the exchange with user security at this point is difficult.
While no funds seem to have been lost at the time of publication, users affected by the email leak are now potentially vulnerable to phishing attacks, email hacks (especially for those who have weak passwords) and malware.
Also, email addresses may be cross-referenced with other data dumps that have occurred in the past, giving hackers easier access to several platforms and services tied to those email addresses.
Fellow cryptocurrency exchange Binance tweeted about the leak, recommending that any of its compromised customers who use the same email account on Binance change it immediately.