Critics aren’t convinced that Bezop is taking security seriously
New cryptocurrency Bezop has suffered a fallback following a data breach that exposed the personal information of thousands of investors.
The incident was reported on March 30 by researchers at Kromtech Security after they noticed “full names, addresses, email addresses, encrypted passwords, wallet information, and other IDs” were being held on a publicly available database.
25,000 users – approximately 6,500 initial coin offering (ICO) investors – are expected to have had their information compromised, although there has been no inclination of any fraudulent activity taking place.
Information was stored on a MongoDB database – an open-source platform that has been widely criticized for its lack of security-by-default settings.
Attackers have been known to search for misconfigured MongoDB, deploying ransomware that could take over an entire server within three hours, Kromtech reports.
The continuous wave of data breaches through misconfigured MongoDB severs, however, led to the company updating the product to have better security – all network connections would have to be approved by an administrator.
Writing in a blog post about the Bezop incident, Kromtech said: “It does not seem to be a very good start for a company such as this to place personal information of anyone on the internet and open to the public, especially it's early investors.
“In fact, it’s a little difficult to grasp how it could happen, even if by mistake.
Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally.”
According to Kromtech, Bezop secured the database within hours of being notified of the issue.
But the start-up, which launched in December of last year, then responded with its own blog post saying that it was aware of the breach and that it had previously informed those potentially affected on January 8.
It said that the database had been exploited through a distributed denial-of-service attack (DDoS) and that the incident was old news.
While the database could indeed have been secured in January, Kromtech maintains that the information was publicly available on March 30.
Bezop has yet to respond directly to this confusion.