Another day, and another report that a cryptocurrency exchange has been breached by malicious hackers.
Indian cryptocurrency exchange BuyUCoin says that is investigating claims that sensitive data related to hundreds of thousands of its users has been published on the dark web, where it is available for free download.
The 6GB of leaked data is said to have been found in a MongoDB database that BuyUCoin had left unsecured, and included users’ bank account details, email addresses, bcrypt-hashed passwords, mobile phone numbers, and Google sign-in tokens.
The data was subsequently leaked by the ShinyHunters gang which has a history of publishing data breaches.
Such details could, of course, be used by other online criminals to scam and defraud cryptocurrency investors.
Existing customers of BuyUCoin, including security researcher Rajshekhar Rajaharia, have confirmed the authenticity of the data breach by finding their own information in the leaked data.
Screenshots posted on social media of the data leak suggest that information included in the leaked database may have been accessed as recently as last September.
However, for now at least, BuyUCoin is sending mixed messages regarding whether a breach has occurred or not.
Initially a statement from the BuyUCoin’s CEO Shivam Thakral was released saying: “In the mid of 2020, while conducting a routine testing exercise with dummy data, we faced a “low impact security incident” in which non-sensitive, dummy data of only 200 entries were impacted. We would like to clarify that not even a single customer was affected during the incident.”
That statement, however, was later replaced on BuyUCoin’s blog with another that said the company is “investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020.”
The cryptocurrency exchange says that it will keep users updated with its investigation uncovers, and will “conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security.”
I don’t know about you, but I’m not sure that’s going to reassure many cryptocurrency investors at this stage.
There is a simple checklist which administrators of MongoDB databases can follow to help ensure that sensitive information stays out of reach of cybercriminals.
Unfortunately, it is still all too common to find companiess are using older versions of the MongoDB software, which didn’t require a password by default.
If reports are confirmed that BuyUCoin left a MongoDB instance unsecured and directly accessible on the internet then it really shows a reckless disregard for the security and privacy of its users.