An internal security breach at Digitex Futures Exchange has put the personal information for 8,000 users at risk of exposure. The exchange suffered the breach early this month, but the implications are only now becoming clear. While the exchange has insisted that the breach didn’t get to any sensitive information, some users’ data has already been leaked online.
Digitex first acknowledged the breach on February 10 after its Facebook page was taken over briefly. In a blog post by the head of communications Christina Comben, the exchange revealed that a former employee had taken over its page briefly. Describing the employee as ‘scheming and highly manipulative,’ Digitex claimed that it had taken back its Facebook page and reassured its users that no sensitive data, other than email addresses were leaked.
However, the ex-employee, whose identity hasn’t been revealed, claims that he has all the information for at least 8,000 users. He revealed to CryptoVigilante, who runs a Telegram channel that exposes crypto scams, that the exchange uses an insecure login procedure which exposes the user data.
He stated, “The data came from a login that Digitex setup when they registered with Sum and Substance. This login with a username, password and 2FA gives unrestricted access to all the KYC information of 8000+ customers including documents, address, phone numbers and other information like IP address”.
Sum and Substance is the KYC provider for Digitex.
On his own Telegram channel, the Digileaker claimed, “I have the entire kyc documentation of every single user who has used the Digitex Treasury from it’s inception date until today.”
He then went on to reveal verification details for a number of users, including their identification documents. He, however, blurred out some details, claiming, “Out of respect for the users above I have blurred the photos. I will reach out to all three users in the near future and compensate them accordingly, I am certain they will not be disappointed.”
The Telegram leaks have caught the eye of the Seychelles-based exchange which in a statement on Friday revealed, “Digitex Futures is aware of momentum gaining on Telegram about a further leak of confidential data. We are not able to comment on the incident at this time and are currently seeking legal counsel. We would like to apologize for any distress or inconvenience caused and assure you that we are doing everything in our power to rectify the situation.”
The end game for the Digileaker is not known yet. However, according to one source familiar with the matter, he is ‘starting to post demands so as not to leak the rest.’
And while he may be the bad guy in this tale, the Digileaker went on to give some good advice to crypto users on how to better protect their accounts. He wrote, “Keep a unique email address and password for each exchange account, use 2fa. Don’t keep your passwords and logins in a google document. Some exchanges have further optional security practices such as whitelisted withdrawal addresses and IP addresses that are there for a reason, use them.”
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.