Exchanges such as Binance have already advised their users to modify email addresses if they were also linked to Bitmex. The blunder is a stark reminder to traders to use a unique email address and password for each platform, utilizing a password manager if needed.
The world’s largest crypto derivatives exchange Bitmex has accidentally doxed tens of thousands of its users. An email newsletter concerning forthcoming updates to Bitmex indices CC’d a large proportion of the company’s mailing list, exposing the addresses of its users to the public. In a second embarrassment, Bitmex had its Twitter account hacked shortly afterward.
Bitmex Suffers a Day of Reckoning
It’s been a rough 24 hours for derivatives exchanges. Shortly before Bitmex CC’d in its mailing list, Deribit was forced to reimburse traders who were liquidated due to an error in its price index. Bitmex users are now being urged to change their details, with hackers and phishers certain to try and crack the leaked email addresses, many of which are likely to be tied to accounts on different crypto exchanges. The leaked and then aggregated Bitmex database is now up for sale on the darknet.
Deribit will reimburse over $1.3 million in losses from the BTC index calculation data issue around 21:00:00 UTC on October 31, 2019.
The Deribit Insurance fund will not be used to cover these losses, but compensation will be covered by Deribit.
– Deribit (@DeribitExchange) October 31, 2019
The PR disaster was compounded when Bitmex’s official Twitter handle was briefly compromised, with tweets reading “Hacked” and “Take your BTC and run. Last day for withdrawals.”
In a statement, Bitmex cited a software error as the cause of the email breach, and stressed that, beyond email addresses, “no other personal data or account information have been disclosed and no further emails have been sent.” The statement also urged users to add official Bitmex email addresses to their contact lists and ensure Two-Factor Authentication (2FA) for all their accounts.
⚠️We are aware of a large-scale user email leak from another exchange.⚠️
If you are one of the affected users and you also have a Binance account under the same email address, we recommend changing your email immediately using the below steps:https://t.co/sgEr5sqleg
– Binance (@binance) November 1, 2019
Tens of Thousands of Addresses Exposed
Bitmex deputy COO Vivien Khoo said that while the email was sent to the majority of Bitmex users, not all were affected. According to skew.com, the exchange – which operates out of Seychelles – has 22,000 average daily users. Larry Cermak said on Twitter that “30,000 unique emails in total” were jeopardized.
In the aftermath of the leak, Twitter was aflame with panicked users, some enquiring how to delete their Bitmex account and others claiming to have already received crypto spam emails. There was further anger when it emerged that Bitmex requires users to undergo full KYC, including a selfie with their ID and the word “Bitmex,” in order to change their email address.
Well not a good day for @BitMEXdotcom pic.twitter.com/WmZTpRkr3d
– WhalePanda (@WhalePanda) November 1, 2019
The email breach does not come at a good time for Bitmex, which is reportedly being probed by the U.S. Commodity Futures Trading Commission (CFTC) over whether it permits U.S. traders to use its platform. Armed with thousands of user email addresses, the CFTC may well step up its investigation.
The reputational and regulatory cost of the blunder is still to be counted. In the interim, neglecting to use blind copy on a mass email has given Bitmex and its normally ebullient CEO Arthur Hayes pause for thought.
We would like to reassure our users that while the trolls may target our Twitter account, you may rest assured that all funds are safe.
– BitMEX (@BitMEXdotcom) November 1, 2019