Crypto-exchange BitMEX leaks hundreds – and potentially thousands – of users’ emails; Adobe confirms Creative Cloud data exposure; and Amanda Rousseau named as Black Hat Europe keynote speaker

As #SocialSec hit the CMS this week, news surfaced that cryptocurrency exchange BitMEX had leaked hundreds – and potentially thousands – of users’ email addresses.

In an email seen by The Daily Swig, the addresses of 999 BitMEX users were apparently pasted into the ‘to’ rather than ‘bcc’ field.

BitMEX privacy incident exposes users' email addressesA redacted screenshot of the BitMEX email seen by The Daily Swig

Of course, 999 is likely the email campaign system’s batch limit, and so it remains to be seen if this problem has impacted the entire BitMEX userbase.

The security misstep was flagged by one BitMEX member, who sent out a spontaneous reply-to-all PSA advising his fellow users to change their emails (while also taking the opportunity to promote his own Discord server).

In a statement earlier this morning, BitMEX said it was “taking steps to understand the extent of the impact”.

Although the crypto-exchange is calling this a “privacy issue”, the incident most certainly crosses over into the realm of security – particularly as the email addresses are tied to high-value cryptocurrency accounts.

As they await more news surrounding the incident, BitMEX users should change the email addresses linked to their accounts immediately, and be hyper-aware of any spear-phishing emails.

UPDATE (November 1; 11:58 UTC) BitMEX has issued an updated statement on the incident. We have asked the company to confirm the number of impacted users.

On the subject of passwords, Adobe issued a security update this week confirming reports that a misconfigured cloud storage database has inadvertently exposed the information of Creative Cloud users.

Adobe’s announcement follows the October 25 advisory from Comparitech, which partnered with security researcher Bob Diachenko to uncover the exposed database.

According to the report, an Elasicsearch database containing nearly 7.5 million Creative Cloud user records could be accessed “without a password or any other authentication”.

Diachenko notified Adobe on October 19 and the company secured the database on the same day.

In South Africa, city chiefs in Johannesburg refused to comply with a ransom demand, the deadline for which has now expired.

As previously reported by The Daily Swig, attackers threatened to publish data that they found on city systems unless a ransom of four bitcoins was paid to the tune of ZAR500,000 ($34,000).

A group calling themselves the Shadow Kill Hackers claimed responsibility for the breach, first reported on October 24. A deadline for payment was set almost four days later on October 28.

Nthatisi Modingoane, spokesperson for the City of Johannesburg, said the assailants “might have some information, but not critical information” and confirmed the city would not kowtow to their demands.

Although there’s been no evidence of the data being having been leaked online, the incident has sparked an intriguing (and potentially worrying) development on the traditional ransomware model – a prediction made many months ago by security researcher and OpSec specialist, The Grugq:

In other security industry news this week, Amanda Rousseau has been named as the keynote speaker at this year’s Black Hat Europe.

Rousseau, who goes by the Twitter handle @malwareunicorn, is an offensive security engineer on the Facebook red team and a highly active member of the security community.

There’s no info surrounding the focus of her keynote just yet, but congratulations have already come in thick and fast from around the world.

Black Hat Europe takes place at London’s Excel Centre on December 2-5.

YOU MIGHT ALSO LIKE Bug Bounty Radar // October 2019