Iranian crypto exchange Bit24.cash has reportedly leaked the personal and financial details of its 230,000 users following a security flaw in its know-your-customer (KYC) database.
The exchange’s KYC and anti-money laundering (AML) measures stipulate that users must submit a photo of themselves alongside their ID, credit card, and written consent to trade on the site.
However, a report from Cybernews details a flaw in the exchange’s cloud software that has let slip the identifying details of its customers. According to the report, researchers accessed KYC data stored in S3 buckets, a form of cloud storage, by exploiting a misconfigured MinIO.
Researchers say this flaw “poses a severe threat, as threat actors could potentially exploit the exposed data for identity theft, fraudulent transactions, and phishing attacks.”
They added, “With access to such comprehensive personal and financial data, malicious actors could impersonate individuals, gain unauthorized access to accounts, execute fraudulent transactions, and potentially cause substantial financial and personal harm.”
According to crypto analytics firm TRM Labs, Bit24 is the fifth largest crypto exchange in Iran when it comes to incoming volume.
Bit24 responded to the Cybernews report, calling it “inaccurate and misleading.” A security engineer said, “The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols.”
The engineer said Bit24’s security is one of its ‘utmost priorities’ and that concerned users should contact the exchange. According to Cybernews, the security flaw is no longer present.
In a comment to Protos, Bit24 added, “Our platform utilizes state-of-the-art security infrastructure to safeguard user information throughout the KYC process and beyond.
“We can confirm that our MinIO setup and cloud storage containers remain secure, and there has been no unauthorized access to any sensitive user data.”
Despite these claims, Cybernews, which says it employs white-hacking techniques to unearth cybersecurity flaws, told Protos, “We firmly stand by our findings and report.”
Edit 18:20 UTC, Jan 8: Updated to include response from Bit24.
Edit 13:15 UTC, Jan 9: Updated to include response from Cybernews.