Crypto exchange Huobi says two-year data breach wasn’t that bad
Major crypto exchange Huobi has quietly fixed a data breach in which a bad actor could have stolen user assets, spread malware, learned the IP address of every over-the-counter (OTC) trader since 2017, and identified nearly 5,000 crypto whales on the platform, according to a white hat hacker.
Citizen journalist Aaron Phillips discovered the data breach occurred in the summer of 2021, when Huobi accidentally shared a file containing AWS credentials. However, after learning about the breach in 2022, it took Phillips an entire year to get the exchange to confirm that the breach had been fixed.
“For two years, every user who logged into a Huobi website or app was potentially at risk of losing their account,” the citizen journalist wrote.
“An attacker exploiting Huobi’s mistakes would have had the opportunity to carry out the largest crypto theft in history.”
Huobi data breach exposed 5,000 whales
Huobi accidentally published the sensitive file in June 2021. According to Phillips, this gave anyone full access to its cloud storage buckets — meaning that hackers could have modified and controlled many Huobi domains.
With write access to critical buckets, hackers could steal user accounts and assets, spread malware, and effectively cripple Huobi’s entire business.
“I had full control over data from almost every aspect of Huobi’s business,” Phillips explained in his blog post published last week.
Huobi’s data breach didn’t end there. The identity and contact information of 4,960 users who held massive amounts of cryptocurrency was leaked. Apparently, Huobi kept customer relation management files on these whales and ranked them by market moving power.
Additionally, Phillips claimed the data breach revealed every trade made on Huobi’s over-the-counter (OTC) desk since 2017. User accounts, transaction details, and the IP address of traders were leaked in a 2TB downloadable file, he wrote.
The data breach also apparently revealed intimate details of Huobi’s technical infrastructure, as well as gave potential hackers the power to alter JSON files of the firm’s NFT project, Utopo.
Huobi says data breach was no biggie
According to a timeline of events provided by Phillips, the white hat hacker first flagged the data breach with Huobi on June 12, 2022. By August, he hadn’t received a reply — so he began regular attempts to get in touch.
Phillips didn’t hear back for another three months. On November 11, 2022, Huobi finally replied and promised to close the leak.
However, by December, Phillips was still unable to confirm that the breach had been contained. After another half year of regular attempts to get in touch, he decided to fill out Huobi’s Zendesk-powered help center form. He received a reply that same day, on June 20, 2023, confirming that the leak had been fixed.
It remains unclear why it took so long for Huobi to take action and even longer to respond. In a statement, Huobi maintained that the breach wasn’t actually that bad.
According to Huobi, the data breach occurred “due to improper operations by personnel related to the S3 bucket in the testing environment of the Huobi Japanese AWS site. The relevant user information was completely isolated on October 8, 2022.”
“The incident this time involved the leakage of user contact information on a small scale (4,960 individuals),” Huobi said. “The type of information leaked does not involve sensitive information and does not affect user accounts and fund security.”
Read more: Justin Sun and Huobi play shell game with ownership
“Huobi Japanese site and Huobi Global site are completely different entities,” it explained. “After being discovered by a white hat team, the Huobi Security Team promptly took action on June 21, 2023, immediately closing the relevant file access permissions.”
“The current issue has been fixed,” Huobi assured reporters. “All related user information has been deleted. We appreciate the contributions made by the white hat team to Huobi’s security.”
In an updated statement, Huobi claimed that the OTC data was “test data” rather than real transactions and that only 4,000 users had information exposed. “The log shows that only [Phillips] has downloaded, and [Phillips] has also stated that he has deleted. Therefore no leakage is actually caused.”
It appears that Huobi got incredibly lucky — but undoubtedly, this will hurt its already tarnished reputation.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on Twitter, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.