The crypto Twitter is boiling with the news that the BitMEX exchange famous for large volumes of Bitcoin futures trading and run by the CEO Arthur Hayes who is quite active on his Twitter page, has accidentally leaked its users’ emails.
The leak happened through an email update earlier today and it contained thousands of user emails.
The trouble was reported by a Twitter user @jchervinsky, a lawyer from Compound Finance.
BitMEX just doxxed its users in the most outrageously incompetent way imaginable: forgetting to use blind copy on mass email. Someone must be cleaning out their desk already. https://t.co/KmARzImxnk— Jake Chervinsky (@jchervinsky) November 1, 2019
Unclear, but it seems on the order of thousands at minimum. Each email has 1,000 addresses in the "to" field and apparently different emails have different sets of addresses.November 1, 2019
BitMEX is already aware of the issue and is working to resolve it. The official response of the exchange states:
“We are aware that some of our users have received a general user update email earlier today, which contained the email addresses of other users.
Our team have acted immediately to contain the issue and we are taking steps to understand the extent of the impact. Rest assured that we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue.
The privacy of our users is a top priority and we are very sorry for the concern this has caused to our users.”
We are aware of an email privacy issue impacting our customers. We have identified the root cause and will be in touch with any users affected by the issue. See our blog for details: https://t.co/FNp2Fdyxdn— BitMEX (@BitMEXdotcom) November 1, 2019
Other users are also reporting the leakage of users’ emails.
Bitmex leaked their customers mail list by puting all users in (To) instead of (BCC)— Feras_Y (@FeraSY1) November 1, 2019
if you are using the same email for #Bitmex & other exchanges, Go and change it IMMEDIATELY@BitMEXdotcom guys! u f*cked up !
CZ Binance and HEX.Win founder respond immediately
Richard Heart, the founder of HEX.Win took to his Twitter page to recommend those BitMEX users whose addresses got leaked to change their passwords immediately to protect their BitMEX accounts from hackers. He also advised not to use SMS-based 2FA.
Everyone change your passwords everywhere now, because if your email was tied to another leak, they will try that password from that leak on your mex account and everywhere else now! And they'll get in if you used the leaked password (from a different leak) anywhere else!— Richard Heart (@RichardHeartWin) November 1, 2019
SMS 2FA is horrible because anyone can know your phone number and personal details to "sim swap" you (pretend they're you and deactivate your real SIM and activate their fake SIM.) Something they can't do with NO 2FA, or non SMS 2FA.— Richard Heart (@RichardHeartWin) November 1, 2019
The head of Binance, CZ, also responded to the accident, recommending particular software for managing passwords.
I believe @1Password or @LastPass are both relatively secure and easy to use. Both use encrypted online sync (I think).— CZ Binance (@cz_binance) November 1, 2019
Use Keypass(x) if you don't want online sync.
Also, please turn-on @Yubico protection on @binance. One of the #SAFUest methods.
A post on the Binance Twitter page says that should any BitMEX customers use the same address for trading on Binance, those should be immediately changes with a step-by-step guide for that provided.
⚠️We are aware of a large-scale user email leak from another exchange.⚠️— Binance (@binance) November 1, 2019
If you are one of the affected users and you also have a Binance account under the same email address, we recommend changing your email immediately using the below steps:https://t.co/sgEr5sqleg