On Friday, thousands of BitMEX user email addresses were accidentally disclosed in a mass email in the ‘to’ field.
The Crypto Twitter discussed the issue heatedly. The Binance exchange immediately published a step-by-step guide to help users who hold accounts both on BitMEX and Binance to change their Binance emails to prevent those accounts from hacking.
Now, the problem seems to be solved and BitMEX has published the reasons of the leak in its blog post, while also offering advice to those whose email addresses were disclosed.
“We would like to apologise unreservedly for the concern this has caused. Below contains further information about what happened, how we can assist you and some steps that you can take to improve your protection.”
Why did the leak occur?
On Friday, November 1, when the incident took place, BitMEX had published the index change that was of great importance for the customers and would have an impact on the pricing of all the products of the platform.
The BitMEX team faced some technical problems while sending this mass email since this was to be done on a global scale.
“BitMEX is a global business that sends emails to many different email providers. Email deliverability itself is a multi-layered problem, involving decades of work in building sender reputation systems and automatic spam filters. Unfortunately, this makes the job of large services such as BitMEX difficult at times: we only send mass emails to all users on rare occasions.”
To solve the issue, the team took some steps and built an in-house system to conduct such massive email sending easier.
“BitMEX has not sent an email to every customer at once since 2017, and much has changed since then. When we initiated the send, it became clear that it would take upwards of 10 hours to complete, and there was a desire on the team to ensure users received the same material information on a more reasonable timescale.”
The team promptly rewrote the tool to send the mass email faster in stacks of 1,000 addresses.
“Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses. As soon as we became aware, we immediately prevented further emails from being sent and have addressed the root cause. Since then we have been aiding all who have been affected as best we can and mitigating the damage to contain the leak.”
BitMEX emphasizes that no other user data, apart from the email addresses, leaked.