Iranian Crypto Exchange Exposes Sensitive Data of Nearly 230,000 Users

Bit24.cash, a crypto exchange service in Iran, has accidentally exposed the personal data of nearly 230,000 users. Reportedly, a lack of proper configuration by the service led to the leakage of customer data, including passports, user IDs, credit cards, and written consent to regulators.

Like other crypto exchanges, bit24.cash operates under Know Your Customer (KYC) requirements. Although many argue that KYC practices oppose the very foundation of crypto, which is widely based on anonymity, numerous services implement such regulations to prevent criminal activity.

Know Your Customer Fiasco

During the KYC process, customers must provide documentation to confirm their identity. Given that these documents contain sensitive personal information, it is imperative that companies that handle and require such data approach it with the utmost seriousness and responsibility, ensuring that it stays secure and private.

According to Cybernews researchers, the leak stemmed from a misconfigured MinIO instance, which subsequently granted access to S3 buckets that hosted the sensitive data on the platform. The compromised instance has been since secured, and the exposed data is no longer accessible.

No Foul Play, Claims a Company Rep

Cybernews reached out to bit24.cash for comment. Allegedly, the company investigated the researchers’ discovery and claimed to have found no evidence of either a data breach or unauthorized access to sensitive customer data.

“The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols,” bit24.cash security engineer Hossein Amini said in an emailed response to Cybernews. “We can confirm that our MinIO setup and cloud storage containers remain secure, and there has been no unauthorized access to any sensitive user data.”

Data Breaches are Unpredictable

Although users of services that demand personal data are advised to follow robust security practices in managing their information, control over data breaches often falls outside their purview. Unforeseen circumstances or vulnerabilities could lead to unintended data leaks despite the best efforts at data management.

Dedicated software like Bitdefender Digital Identity Protection can help you manage your digital footprint, including traces of no-longer-used services. It provides you with a comprehensive overview of your online personal data, continuously monitors the public and dark web for breaches that put your identity at risk, and lets you instantly close leaks and weak points in your digital footprint with 1-click action items.