Users of Seychelles-based cryptocurrency margin trading exchange BitMEX are at risk of phishing attacks following the exposure of their emails in an inadvertent email blast error.
The exchange platform allegedly used the carbon copy (‘cc’) command instead of the blind carbon copy (‘bcc’) to send an email notification on Friday, November 1st, revealing several emails of their customers to other BitMEX customers. In a blog update on Friday, BitMEX wrote that:
We are aware that some of our users have received a general user update email earlier today, which contained the email addresses of other users.
The Twitter community has not reacted too kindly to his error with several getting critical of BitMEX processes and staff. Crypto lawyer Jake Chervinsky wrote on Twitter:
BitMEX just doxxed its users in the most outrageously incompetent way imaginable: forgetting to use blind copy on mass email. Someone must be cleaning out their desk already.
Larry Cermak, another crypto legal mind wrote:
BitMEX just doxxed thousands of their customers by sending a mass email and not adding recipients to BCC. Good luck recovering from a fuck-up of this magnitude.
BitMEX reacted swiftly once they discovered the error canceling any pending emails. In the Friday statement, the exchange stated:
Our team has acted immediately to contain the issue and we are taking steps to understand the extent of the impact. Rest assured that we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue.
Consequently, it seems that the error may have already caused a system-wide risk. Shortly after the Friday morning email-leak, a new Twitter account dubbed “Bitmexdatabaseleak” was created with the sole purpose of doxxing BitMEX users. The account has gone on to claim the knowledge of BitMEX’s first four user accounts which it claims belong to the exchange’s staff. “User ID 3 belongs to Arthur Hayes,” one of the tweets read referencing the BitMEX CEO.
In what appears to be an unfortunate turn of events, the official BitMEX Twitter account seems to have been hacked on the same day of the leak as well. Hackers may have managed to send a couple of tweets both of which have since been deleted. The first tweet read “Take your BTC and run. Last day for withdrawals,” while the second simply read “Hacked.” BitMEX has since confirmed the Twitter hack saying in a tweet that:
We would like to reassure our users that while the trolls may target our Twitter account, you may rest assured that all funds are safe.
BitMEX has since disabled support for asset withdrawal especially for accounts that have changed their passwords following the Friday morning error. There have not been any reports on stolen funds yet so far. To be safe, the exchange is recommending routine security password changes. In addition, the exchange is apologizing to its users saying in a statement:
The privacy of our users is a top priority and we are very sorry for the concern this has caused to our users.