[BreachExchange] Australia’s largest cryptocurrency exchange accidentally exposed the names and emails of 270,000 customers

Destry Winant destry at riskbasedsecurity.com
Thu Dec 3 10:38:03 EST 2020


https://www.businessinsider.com.au/btc-market-cryptocurrency-privacy-breach-2020-12

- Australian cryptocurrency exchange BTC Markets has apologised for
revealing the personal details of more than 270,000 of its members
earlier this week.
- The company sent emails to batches of its members which included
their names and email addresses.
- The breach makes BTC Markets users more vulnerable to phishing and
other cyberattacks attempting to gain access to their cryptocurrency.
- Visit Business Insider Australia’s homepage for more stories.

________________________________

One of the main selling points of cryptocurrencies is that they are
designed to offer their users privacy or even complete anonymity. But
not even the cleverest creators can completely thwart human error.


Early on Tuesday morning, an Australian cryptocurrency exchange that
bills itself as the largest in the country inadvertently exposed more
than 270,000 of its members names and email addresses.

Users posted to social platforms like Twitter and Reddit to complain
about the breach.

BTC Markets issued a statement acknowledging that the company had
breached the privacy of its customers and apologised for the
situation.

“Earlier today, an announcement from BTC Markets exposed client names
and email addresses. This is a deeply regrettable situation and we
apologise wholeheartedly for it,” the company tweeted on Tuesday
evening.

The company stressed that the breach did not affect their exchange,
nor were there passwords exposed in the breach. The company’s CEO
Caroline Bowler said in a tweet that all of its customers were
affected.

According to the BTC Markets, the company uses an external email
system to send out updates to its customers.

In the process of sending out correspondence, the company’s customers’
names and emails were included in the ‘to’ section of emails, rather
than being blind carbon copied or individually addressed.

The emails were batch limited to 1000 recipients, meaning that each
individual only received an email with the details of up to 999 other
customers rather than the full list.

The company said their batch sends occur rapidly, meaning that once
they noticed they were unable to stop it from sending out.

The privacy breach threatens the security of the BTC Markets user
base. The exchange uses a user’s email address as their login.
Further, anyone with a list of users could use that information to
guide phishing attempts.

BTC Markets said they will report the breach to the Office of the
Australian Information Commissioner, conduct and internal review and
step up the security measures around user’s details.

The company also advised its users to use two-factor authentication
for their BTC Markets account to secure their accounts, and directly
contacted all their users to inform them of the breach.

Still, not all their customers were happy with the company’s response.

“BTC Markets name is now as good as dog shit,” one social media user mused.


More information about the BreachExchange mailing list