BitMEX reported a breach on 1 November at 06:00 UTC, a breach following which its users received an email containing the email addresses of other users in the ‘to’ field. The episode raised a lot of eyebrows in the cryptocurrency community, with many raising questions about the exchange’s concern for users’ privacy. BitMEX has now released a blog addressing the Email privacy issue, with the exchange’s statement reading,
“We would like to apologise unreservedly for the concern this has caused. Below contains further information about what happened, how we can assist you and some steps that you can take to improve your protection.”
The derivatives exchange informed the community that the email received by users was a general email sent to update them about changes in the weighing of its indices. It was this email wherein the email addresses of several users were disclosed to other users in small batches. BitMEX has now come out to assure the community that “no other information was disclosed.”
“The index change we published on 1 Nov was of sufficient importance – it will impact pricing of all of our products – that we felt it necessary to inform all our users about it. However, bulk mail sends such as this are a difficult and complex undertaking when it’s on a global scale, to all recipients.”
In order to treat this fault, the exchange has built an in-house system to handle the rendering, translation, staging, and piecemeal sending of important emails. BitMEX has also clarified that it has not sent bulk emails since 2017, adding that when this was initiated, BitMEX realized that the process would take over 10 hours to reach completion if the team re-wrote the tool to “send single SendGrid API calls in batches of 1,000 addresses.”
“Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses. As soon as we became aware, we immediately prevented further emails from being sent and have addressed the root cause.”
The statement also noted the case of BitMEX losing control of its Twitter account to an external individual. However, it was back under BitMEX’s control within 6 minutes, the statement read. The team has been looking into the event and the case is presently under a security review. Even though no account information has been disclosed, the exchange proposed a host of steps to be followed by affected users.
The exchange has also urged users to enable two-factor authentication on all accounts, while also asking them to use a password manager.