In a blog post published by BitMEX on November 4, the company, responding to the accident, claimed that no other information except email addresses were disclosed and none of BitMEX’s core systems were at risk at any point.
According to the company, On Friday, November 1 at 06:00 UTC, users registered with BitMEX received an email which contained large number of email address of other users in ‘To’ field. Concerned community member feared that the leak could make BitMEX account holders vulnerable targets to potential hackers.
The company responded:
“This was a general email update to our users about upcoming changes to the weighting of our indices. As a result, many BitMEX user email addresses, including a large number of inactive addresses, were disclosed to other users in small batches. No other information was disclosed.”
In the post, BitMEX admitted that the recent email leak was the result of a failure in the company’s internal bulk email service. The crypto exchange said that it they only send mass emails to all users on a rare occasion but the BitMEX Indices update was of very importance as it would impact the pricing of all of their product, so they felt it necessary to inform the users about it.
According to the exchange, sending bulk emails is a very complex and difficult process to undertake, especially when it is on global scale. The exchange has its own system to deal with the problems associated with bulk email sending but it was never used since 2017.
BitMEX found out that the initial send request would have taken up to 10 hours to complete. The exchange further explained:
“To handle this, the tool was quickly rewritten to send single SendGrid API calls in batches of 1,000 addresses. Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated ‘To’ field, leaking customer email addresses. As soon as we became aware, we immediately prevented further emails from being sent and have addressed the root cause.”
On November 1, BitMEX Twitter handle was also attacked right after the email leak accident. But the exchange said that Twitter hack was unrelated to this problem and the account was under control after 6 minutes.