Iranian cryptocurrency exchange Bit24.cash has purportedly exposed the personal and financial information of its 230,000 users due to a security flaw in its know-your-customer (KYC) database.
The exchange’s KYC and anti-money laundering (AML) procedures mandate users to submit a photo, ID, credit card, and written consent for trading on the site.
However, as per a report by Cybernews, a flaw in the exchange’s cloud software has disclosed customer details. Researchers accessed KYC data stored in S3 buckets, a type of cloud storage, by exploiting a misconfigured MinIO. Researchers state this flaw “poses a severe threat, as threat actors could potentially exploit the exposed data for identity theft, fraudulent transactions, and phishing attacks.”
They added, “With access to such comprehensive personal and financial data, malicious actors could impersonate individuals, gain unauthorized access to accounts, execute fraudulent transactions, and potentially cause substantial financial and personal harm.”
TRM Labs, a crypto analytics firm, ranks Bit24 as the fifth-largest crypto exchange in Iran by incoming volume.
Bit24 responded to the Cybernews report, calling it “inaccurate and misleading.” A security engineer stated, “The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols.”
Bit24 emphasized its commitment to security and encouraged concerned users to reach out. Cybernews mentioned that the security flaw is no longer present.
Bit24, in a comment to Nosisnews, affirmed, “Our platform utilizes state-of-the-art security infrastructure to safeguard user information throughout the KYC process and beyond. We can confirm that our MinIO setup and cloud storage containers remain secure, and there has been no unauthorized access to any sensitive user data.”