BitMEX has published an official statement confirming last week’s email disclosures did not leak any user data.
The exchange says that its quick actions prevented any further disclosures, but more importantly, “no personal or account information” leaked.
BitMEX notes in its November 4 statement that its engineers have identified and addressed the cause of the leak.
No risk to BitMEX core systems
The issue at BitMEX surfaced on November 1, reportedly after what the global exchange called a “general email update.”
According to the platform, the email update was to alert users about upcoming indices changes. It was in the process of informing users of these details that the address disclosures occurred.
Writing in a company blog post, COO Vivien Khoo moved to assure users that every other aspect of the exchange’s operations remains secure. He affirmed:
“At no point were any of our core systems at risk”
Mass emailing failed
According to Khoo, the leak happened after an internal bulk mail send system failed.
BitMEX’s statement includes an unreserved apology for what happened but asserts that email was necessary. As noted in the statement, the Indices Update touched on the company’s product pricing and thus impacted all users.
The process involved an email carrying the same information to all customers at once. However, sending the email to such a large group proved too slow. BitMEX, therefore, determined that it needed to speed up the process.
Khoo says the company had realized that it would have taken up to 10 hours to complete the send request. As such, to have a delivery timescale that was “reasonable” for everybody, the firm opted for an in-house “remedy.”
But it appears time constraints meant the approach did not go through the required QA scrutiny. It is an API call in this tool that led to the leaks.
BitMEX stopped process and enforced security measures
Notably, November 1 marked the first time since 2017 that the exchange had sent mass emails.
But it stopped the bulk mailing process immediately it discovered user addresses were leaking. Other than that, the platform initiated additional measures to protect customers. These include BitMEX support initiating forced password resets and monitoring the system for any signs of compromise.
The exchange maintains that the site is secure, but has advised users to be vigilant and guard against any potential phishing attempts.
Accordingly, users should enable two-factor authentication for all of their accounts- on BitMEX as well as any other third-party platforms.
In related details, the BitMEX COO pointed out that an attack on its Twitter account wasn’t linked to the email address leaks. Hackers briefly took control of the BitMEX Twitter account on November 1, but the exchange was back in control within six minutes.
More details regarding these two issues should be out in the coming days.