Seychelles-based bitcoin futures exchange BitMEX initiated a mandatory password reset to all users of the crypto exchange and trading platform. The company decided to do the necessary after receiving information regarding a group of malicious actors that are collating email addresses of users following an inadvertent data breach.
Over the weekend, BitMex commenced an email communication with their users in order to send them a copy of the updated price index by bulk. In the process of sending the emails, the tool that the company used has inadvertently “CCed” other emails in the batch instead of sending them via “BCC,” which led to the disclosure of the addresses of other users in the batch.
“On Friday, November 1, at 06:00 UTC, many of our users received an email that contained the email addresses of other users in the ‘To:’ field. This was a general email update to our users about upcoming changes to the weighting of our indices,” BitMex said in a disclosure notice.
Fortunately, there was no other user information that was leaked during the incident, the company confirmed. In the blog post published by the bitcoin trading platform, the company said that they rarely send emails to their users. It was only because the information that they mean to disseminate this time is “very important.” The last time that the company said batch emails to their users dates back to 2017.
Not all users were affected by the breach, BitMex noted. Since the emails were sent in small batches, a group of users was only able to see the email addresses of those that belong to the same batch of email. The company also highlighted that the breach also includes a large number of inactive email addresses, as well.
“As a result, many BitMEX user email addresses, including a large number of inactive addresses, were disclosed to other users in small batches. No other information was disclosed,” the company added.
BitMex Twitter was also hacked
BitMex’s “massive” cybersecurity problem did not end with the inadvertent user email disclosure. Shortly after the blunder, BitMex’s official Twitter account was also penetrated and taken over by what was assumed as some “hackers.”
The Twitter account, @BitMEXdotcom, posted two tweets that were promptly deleted. The first tweet reads “Hacked,” and the second tweet was an advice to the platform users to withdraw all their funds in their accounts.
“Take Your [bitcoin] and run. Last day for withdrawals,” the second tweet reads.
Amidst the problem, the company has assured its users that they are doing everything that they can to mitigate the impact of the data breach. In a statement, the company apologized to its users and said that their team was already able to contain the problem and prevented the unsent emails from being sent.
“Our team has acted immediately to contain the issue, and we are taking steps to understand the extent of the impact. Rest assured that we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue,” the statement reads. “The privacy of our users is a top priority, and we are very sorry for the concern this has caused to our users.”