An error in the code of the internal BitMEX exchange system for mass email newsletters led to the disclosure of user e-mail addresses. No other personal data was disclosed.
On Friday, November 1, most users of the site received a letter notifying them of changes in the calculation of indices for the pricing of derivative products. However, in the “To:” field, the exchange disclosed the addresses of other recipients.
Distribution was carried out in batches of 1000 people. Accordingly, each letter revealed 1,000 addresses.
Some users received the correct notifications without compromising the data or did not receive the letter at all.
After the incident, the security service identified several accounts that carry out suspicious activity. Their owners were forced to change passwords and, in some cases, undergo additional verification in the support service.
The exchange almost immediately closed the output for accounts:
- no two-factor authentication;
- withdrawing funds after compromising addresses;
- withdrawing funds to previously unknown bitcoin addresses;
- incoming from previously unknown IP addresses.
BitMEX urged all users to install 2FA on their mail and exchange account.
Representatives of the organization also explained that shortly after the incident, an unknown person took control of the exchange’s Twitter page for six minutes.
Register at Binance