Bit24.cash, an Iranian cryptocurrency exchange, allegedly experienced a substantial data breach affecting approximately 230,000 citizens, exposing sensitive information. The exchange, however, refuted the claim, labeling it as entirely false.
Researchers from Cybernews pointed to a purportedly misconfigured storage system as the cause of the breach. The misconfigured MinIO object storage system was reportedly left vulnerable, allowing unauthorized access to S3 buckets containing users’ KYC documents. Among the compromised data were consent letters, passport information, and credit card details, as detailed by the researchers.
Having gained access to extensive personal and financial information, malicious actors could potentially engage in identity impersonation, unauthorized account access, fraudulent transactions, and inflict significant financial and personal harm upon the impacted users.
Subsequent to the incident, Cybernews researchers reported that the storage system has been fortified and is now inaccessible.
Bit24.cash, identified as one of the leading five cryptocurrency exchanges in Iran based on TRMlabs insights, operates within a nation that embraced a pro-crypto stance in 2019 as a strategic measure to navigate sanctions imposed against it.
Bit24.cash – “Wholly Untrue”
In response to the accusations, the exchange adamantly denied the claims, labeling them as “inaccurate and misleading.”
Hossein Amini, a security engineer at bit24.cash, reassured the public that there is no evidence supporting the allegation of a data breach or unauthorized access to sensitive information. He emphasized that user security remains the top priority for Bit24.cash.
Amini specifically addressed the reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data, stating that it is entirely untrue and inconsistent with their system architecture and security protocols. He expressed confidence in the security of their MinIO instance and S3 buckets.
It’s worth noting that security breaches exposing users’ information have been reported in the past. For instance, a recent potential breach of Strike, a Bitcoin Lightning-based payment platform, raised concerns about the exposure of users’ private emails, as highlighted by online investigator ZachXBT.