BitMEX cryptocurrency exchange email incident followup

CoinSyncoom has already reported on the incident regarding the BitMEX cryptocurrency exchange email leak last week. Today, the derivatives trading platform has published a followup on their official blog to further explain the situation.

The complexity of bulk emails

After a starting apology to all parties involved, the official release explains that the overall complexity of bulk emails and large providers are the cause of the incident. So, BitMEX states that the likes of Yahoo and 163, have control mechanisms for sending large numbers of emails. That control system ensures that customers receive emails dependably.

According to BitMEX’s explanation, their in-house system fixes the issue so that incidents like this don’t happen. However, in this instance, the number of emails was so large that the whole process would take up to 10 hours, which the exchange wanted to avoid by updating their in-house code.

The new system fix, apparently, ordered the system to send emails in batches of 1,000 until it serves everybody. Unfortunately, that didn’t go as planned. Therefore, the programmed API call created the “To:” field which leaked all BitMEX clients’ emails to everyone who received the email at issue.

The release explains that, as soon as those responsible realized the malfunction, they prevented the system from sending more emails. Regarding their internal stance towards the incident, BitMEX explains:

BitMEX is a company that takes engineering seriously, and we are disappointed that this lapse in care has resulted in unwanted disclosure for our customers. We believe that processes, not engineers, are to blame for these failures.

Obviously, the process failed. In the aftermath, to mend the damage done, the company’s engineers are reviewing every single line of code. Fixing bugs and making it safe to use again.

In conclusion, BitMEX discloses that only the emails leaked, without any other users’ details. Thus, reassuring their customers that their other personal information and exchanges core system was never at risk.

Who should worry about the BitMEX cryptocurrency exchange email leak?

BitMEX states that even those who didn’t receive the email or their address wasn’t quoted in the “To:” field may be at risk. Nevertheless, those who received it, and clients with leaked addresses are, obviously, affected. In any case, the recommendation in these situations is that all users tighten their on-exchange security measures.

One thing that BitMEX always emphasizes is the 2FA to help its users protect their accounts. The company also repeats the warning about possible phishing attacks, and repeats their usual mailing channels.

In the end, BitMEX discloses:

We want to reassure you that beyond email addresses, no personal or account information has been disclosed. At no point during this issue were any of our systems at risk, and they remain secure, as we continue to take measures to enhance our security. Your privacy and security remain our top priority.

It is interesting to note that somebody hacked the BitMEX Twitter account in the meantime. Reportedly, the company regained control over their social media channel in 6 minutes.

The larger the business the bigger security problems. It should be the top priority for companies like BitMEX not to jeopardize their users’ trust. Hasty emailing system configuration isn’t what we could call, good business practice. We sincerely hope that BitMEX will take their responsibilities more seriously next time. Rushing into things is commonly counter-productive.