Email addresses of 23,000 users were leaked, researcher says

Cryptocurrency exchange platform BitMEX is forcing a password reset for its users following a data privacy incident that took place last week.

News surfaced on Friday (November 1) that BitMEX had leaked potentially thousands of its users’ email addresses by pasting them in the ‘to’ rather than ‘bcc’ field of a general update email.

In the message seen by The Daily Swig, the email addresses of 999 BitMEX users were exposed.

BitMEX has exposed the email addresses of at least 999 users
A redacted screenshot of the BitMEX email

However, there were suspicions that 999 was the email campaign system’s batch limit, leaving users to question if many – potentially thousands – more email addresses were impacted by the incident.

According to Larry Cermak, research and analysis director at cryptocurrency research platform The Block, 23,000 emails were exposed.

“I now have access to 23,000 emails that were leaked by BitMEX,” Cermak said.

“Surprisingly, there is only one person that used a .gov email. There were 66 students/alumni that used .edu email. NYU dominates (7 people), followed by Berkley, and University of Michigan.”

‘Deeply sorry’

BitMEX did not confirm the number of impacted email addresses, but the company did provide us with a statement from deputy chief operating officer Vivien Khoo:

We are deeply sorry for the concern this has caused to our users. The issue was caused by an error in the software used to send emails.

As soon as we were made aware of the issue, we immediately prevented further emails from being sent and have since addressed the issue to ensure this does not happen again.

BitMEX takes the privacy and security of our users very seriously. We are working around the clock to establish communication with all our users to provide any assistance and to ensure the continued safety of their account.

Beyond email addresses, at no point during this issue has any personal data or account information been disclosed.

As news of the incident continued to spread on Friday, BitMEX sent out a password reset email to customers who did not have two-factor authentication enabled.

Fresh phish

Although the exchange is calling this a “privacy issue”, the incident most certainly crosses over into the realm of security – particularly as the email addresses are tied to high-value cryptocurrency accounts.

Interestingly, the security misstep was initially flagged by one BitMEX member, who sent out a spontaneous reply-to-all PSA advising his fellow users to change their emails (while also taking the opportunity to promote his own Discord server).

In addition to the password reset, BitMEX users should also change the email addresses linked to their accounts immediately, and be hyper-aware of any spear-phishing emails targeting their accounts.

In a further update to its users this morning, BitMEX said: “We understand many of you are concerned about the email disclosure which happened over this weekend and no doubt have many questions.

“Our teams across the world have been working around the clock to protect your account security and make sure we are back on course. Our support team has already assisted many of our users and we are continuing to establish contact with everyone.”

READ MORE Coinbase remedies clear text snafu by asking some users to reset passwords