BitMEX’s troubles may just be getting started

Getting your Trinity Audio player ready...

It’s been a week since it was revealed that BitMEX had the latest in a series of mishaps, this one potentially affecting most, if not all, of its userbase. The cryptocurrency exchange hasn’t stated exactly what happened, but what is known is that users’ email addresses were inadvertently made public, possibly as many as 22,000, and the fallout of that egregious error is starting to be seen. 

BitMEX has tried to place the blame on a “software error,” a standard boilerplate response when a company doesn’t want to admit, or doesn’t know, what truly happened. The exchange’s deputy chief operating officer, Vivien Khoo published a response a few hours after it was revealed. It stated, “We are deeply sorry for the concern this has caused to our users. The issue was caused by an error in the software used to send emails. As soon as we were made aware of the issue, we immediately prevented further emails from being sent and have since addressed the issue to ensure this does not happen again.”

Despite the assertion that the issue was limited to just email addresses, which shouldn´t have been a serious security risk, BitMEX temporarily disabled withdrawals for anyone who tried to change their account passwords or security details. One potential security hole has been made even bigger, as hackers, with their vast lists of passwords, might now be able to put email addresses to those passwords and gain access. 

This was apparently confirmed by the CEO of fiat gateway XanPool, Jeffrey Liu Xun, who stated, “Doxing users’ e-mails is oftentimes as damaging as doxing their passwords, as hackers have large repositories of passwords that people tend to use. Finally, releasing your users’ e-mails also opens them up to spam and phishing attacks.”

There is also evidence that the email addresses have already made their way to the dark web. Digital privacy expert Ray Walsh, who works for the ProPrivacy education platform, states, “Following the leak, BitMEX users did receive unusual emails and there seems no doubt that those emails were the result of the leak. It also appears that the leaked email addresses have already been sold on the dark web, meaning that very serious hackers will now be attempting to phish people’s passwords to steal crypto funds.”

There’s also the possibility that BitMEX will be held accountable by regulators. The release of the data could be seen as a violation of the General Data Protection Regulation in the European Union, as well as regulations established by the Federal Trade Commission in the U.S., which could lead to massive fines levied against the exchange. Either way, this is certainly not the end of the story.