User data on cryptocurrency exchanges has been the subject of much discussion over the past several years. Regulators the world around seem to want exchanges to collect as much of it as possible; privacy advocates in the cryptocurrency space want exchanges to know nothing about their users.
However, these discussions were reignited once again following an incident last week, when thousands of BitMEX users’ email addresses were revealed in a mass email that was sent to every user on the exchange.
While the exact amount of exposed email addresses is unknown, some estimates point to more than 30,000 addresses. Not every user on the exchange was affected.
I now have access to about 3,000 unique emails from the BitMEX leak.
– from what I can tell, there is more than 30,000 unique emails in total
– 67% emails (from my sample size) use gmail, 7% hotmail, 4% yahoo, 3% protonmail
— Larry Cermak (@lawmaster) November 1, 2019
The exchange explained in a statement that the leaks had occurred as the result of an error in an in-house system that had been built to send emails to large amounts of users.
“We built an in-house system to handle the necessary rendering, translation, staging, and piecemeal (as not to trigger rate limits) sending of important email,” BitMEX said in a statement.
“BitMEX has not sent an email to every customer at once since 2017, and much has changed since then,” the statement said. John Colascione, Chief Executive Officer of Internet Marketing Services Inc., pointed out to Finance Magnates that the fact that the system had not been used for two years could indicate that the exchange “utilized a system that was not rigorously tested.”
Since the leaks, the exchange has apologized profusely and has promised to do better in the future. “We are deeply sorry for the concern this has caused to our users,” said Vivien Khoo, deputy COO, in a statement emailed to Finance Magnates.
“[…] As soon as we were made aware of the issue, we immediately prevented further emails from being sent and have since addressed the issue to ensure this does not happen again.”
However, the incident has caused affected users’ concern about possible phishing and hacking attempts; the leaks have also brought discussion about the role of KYC in the cryptocurrency industry.
What kinds of risks do affected BitMEX users face? And what does this mean for the way that the industry operates around KYC requirements and user data privacy?
Will BitMEX face consequences?
Charles Phan, Chief Technology Officer at cryptocurrency derivatives exchange Interdax, told Finance Magnates that “BitMEX are unlikely to face legal action, as only email addresses were revealed and it seems that no customers have lost any funds. BitMEX may, however, start to fall out of favor with some crypto traders, who will seek other alternatives that are perceived as more secure and private.”
Expressing similar sentiments regarding customer opinion, Larry Cermak, Director of Research at The Block, Tweeted that the exchange “will inevitably lose the trust of many of their users,” which he said is “especially unfortunate while the derivatives markets are already heating up.”
They will inevitably lose the trust of many of their users. It definitely won’t kill them but they will lose some market share for sure. And it’s especially unfortunate while the derivatives markets are already heating up
— Larry Cermak (@lawmaster) November 1, 2019
Johnathan Swerdlow, CMO of Enigma Securities, also pointed out that while there may not be any direct legal consequences for BitMEX as a result of the leak, BitMEX is currently under investigation by the CFTC; therefore, the reputational damage that may have resulted from the leak is particularly bad timing for the company.
“Although considered by many to be a simple mistake on the part of the company, BitMEX is currently under investigation by the Commodity Futures Trading Commission (CFTC) for allowing American traders to use the platform without a license,” Swerdlow told Finance Magnates.
“If they registered with a publicly-known email address that belongs to them, having it leaked makes it widely known that they’re market participants.”
Indeed, it seems that BitMEX’s customers whose emails were leaked are facing more severe consequences than the exchange itself.
“One way this could hurt customers is if they were trying to keep their interest in bitcoin secret, i.e., for security or personal safety reasons,” said Udi Wertheimer, host of the Reckless Review podcast, to Finance Magnates. “If they registered with a publicly-known email address that belongs to them, having it leaked makes it widely known that they’re market participants.”
Indeed, in a Tweet posted after news of the leaks had spread, Partner at Primitive Crypto Dovey Wan referred to the incident as the “Ashley Madison” of crypto, referring to a 2015 incident in which in July 2015, a group known as “The Impact Team” stole and shared the user data of Ashley Madison, a commercial website that connects individuals interested in having extramarital affairs.
Wan also pointed to the fact that the United States’ tax agency could potentially use the email addresses as a possible source of tips for taxes that need to be collected.
gonna be a interesting “Ashely Madison” like case for the Bitmex email leaks ..
Anybody using .gov email or .edu email? 👀👀👀 and nice source of tax collection pointer for IRS too if they do a quick scan
— Dovey 以德服人 Wan 🗝 🦖 (@DoveyWan) November 1, 2019
Could the leaked emails be used by governments to identify crypto hodlers?
Eric Benz, CEO of cryptocurrency exchange Changelly, agreed that the list could potentially be used by government agencies. He told Finance Magnates that “I would imagine that some, if not most government agencies have a copy of this email list leaked by BitMEX.”
However, if they attempt to use it for investigation purposes, the process of matching emails with users “would be very long-winded and not result in much success…most of the emails cannot be tied to an actual individual, making it very difficult to actually apply any sort of tax and fees, et cetera,” he said.
However, Willy Woo, cryptocurrency analyst and partner at Adaptive Fund, pointed out on Twitter that the company that issues the software that BitMEX used to build its email infrastructure is based in the US.
I’m surprised BitMEX used SendGrid, a US based company, for bulk email, uploading its customer database to a company that can get a court order from the IRS to reveal its records. (Those email addresses will still need cross referencing with other databases to find US customers) https://t.co/TumUt8GAPC
— Willy Woo (@woonomic) November 2, 2019
ACY Securities Supports ASIC’s Product Intervention OrderGo to article >>
In other words–as Charles Phan explained– “the leak also revealed that BitMEX uses US-based SendGrid as a tool to send emails – which is surprising as the customer database of BitMEX is uploaded to a company that can be pressured by the US tax authorities to reveal its records (BitMEX does not permit US residents to trade on their platform).”
Leaked emails put users at risk of hacking and phishing attempts
Even if the government isn’t involved, the leaked emails could still have a number of other unfortunate consequences for users.
For one thing, a leaked email address easily make someone into a target for hacking and phishing attempts. “Anytime emails are leaked, it always allows others to use this information to target and sometimes even threaten that individual/company,” said Eric Benz, CEO of Changelly, in an email to Finance Magnates.
“Other ways of leaking customer emails can make them feel vulnerable simply because it now allows others to create spoof emails that are actually not from the parties we would expect,” he continued, referring to emails that imitate the platforms that users regularly use in order to steal proprietary information. “Customers, most of the time, have no idea that they are being spoofed until its too late.”
There is already a 30k email dump selling on darknet. For any user that was involved in this leak, get ready for constant phishing attempts and emails from competitors. Be careful
— Larry Cermak (@lawmaster) November 1, 2019
BitMEX itself also pointed out in the statement published after the leaks that “we are aware that many users reuse email addresses across services,” the statement said. “This, combined with a very human tendency to reuse passwords, meant that many of our users may have been at risk due to password hash dumps on other platforms, even ones unrelated to crypto.”
In other words, hackers who manage to connect one of the leaked email addresses with a password may not only gain access to the user’s BitMEX account but accounts on other cryptocurrency platforms where they may have used the same email address and password.
Other exchanges identified this as a potential issue long before BitMEX said anything about it publicly. Within hours of the email leaks, a number of other cryptocurrency exchanges began advising their users to change their email addresses and passwords. Binance was among them:
⚠️We are aware of a large-scale user email leak from another exchange.⚠️
If you are one of the affected users and you also have a Binance account under the same email address, we recommend changing your email immediately using the below steps:https://t.co/sgEr5sqleg
— Binance (@binance) November 1, 2019
How can users protect themselves in the future?
However, it’s important to remember that this isn’t the first time that customer data entrusted to an exchange has been leaked, and it probably won’t be the last.
This is ridiculously bad, but what do you mean “good luck recovering” lol? You don’t expect people to stop trading over this right
— Udi 比特神教 Wertheimer (@udiWertheimer) November 1, 2019
Indeed–while the circumstances have been different–Binance, Coinbase, and many other exchanges have either accidentally leaked data themselves, or have been targeted by hackers who have gained access to customer data.
Therefore, users on any cryptocurrency exchange should take extra care to see that their data is protected to the best of their capabilities.
For one thing, “a good way for bitcoiners to protect themselves in the future would be to use unique, random-looking email addresses when signing up to bitcoin-related services,” Udi Wertheimer told Finance Magnates. In other words, if your name is Alex Smith, and your birthdate is March 17th, 1979, don’t use “firstname.lastname@example.org” as your exchange email address.
I’d say more than 50% of emails are trivially easy to doxx. Surprisingly high amount of people use a combination of first.lastname or they use a domain of a company that has less than 5 employees. Don’t do this…
— Larry Cermak (@lawmaster) November 1, 2019
Additionally, crypto hodlers should choose their email servers carefully.
Charles Phan pointed out to Finance Magnates that “one key takeaway is that traders on BitMEX have not taken OpSec as seriously as they should have. The majority of users used Gmail and other email providers that provide little to no privacy…Just a small percentage were using privacy-focused email providers like ProtonMail.”
Some believe that KYC requirements are the root of data privacy problems
Naturally, the email leak has caused the members of the cryptocurrency community who are adamantly opposed to KYC to point to the BitMEX email leaks as another piece of evidence to prove their points.
KYC is the cancer of crypto, #DeFi is the alternative to this
— ChainLinkGod (@ChainLinkGod) November 1, 2019
Charles Phan told Finance Magnates that “Know Your Customer practice is in opposition to the underlying values of the cryptocurrency movement.”
“Bitcoin provides a permissionless payment system that no-one is banned from using,” he explained. “Companies that collect sensitive personal information are a gold mine for hackers and often customer data is leaked – Bitcoin gets around this by not requiring personal identification to setup an account and transact.”
However, Eric Benz told Finance Magnates that it might be that as long as the industry wants to continue to evolve toward “mainstream” usage, KYC is here to stay–and it might not be such a bad thing.
“KYC is not a bad thing at all and allows us to know our customers in a more compliant manner to, therefore, be able to thus protect the customers invade any issues that take place,” he said.
“As new verticals of business have reshaped our world economy we must also be more cautious, and KYC is a necessary means in order to establish what person or company you are dealing with. Bitcoin, by its very nature, has been designed to circumvent KYC and AML, so therefore we cannot apply antiquated processes but instead utilize the underlying technology and apply more innovative tools.”
Indeed, Phan also said that “the whole situation is likely to increase pressure on centralized exchanges to continue to improve user security and privacy and see increased competition in the space.” Here’s to a brighter future.
Finance Magnates reached out to BitMEX regarding commentary for this piece but did not hear back before press time. Special thanks to Kim Bazak.