The BitMEX crypto-derivative exchange disclosed the email addresses of a number of users in a public format this morning as part of a massive e-mail campaign to announce upcoming changes in its index structure.
"We know that some of our users received an email today that contained the email addresses of other users. Our team immediately took steps to limit the problem. We are trying to understand the scope of what happened. Rest assured that we are doing everything we can to determine the root cause of the incident and will contact all the victims. User privacy is our top priority. We are very sorry for the concern you have caused," the exchange writes.
"BitMEX has just leaked user data in the most incompetent way, forgetting to use a hidden copy in the mass mailing list. Someone should already be packing. Such a colossal breach of privacy can have serious consequences - the stock exchange, which is under investigation by the CFTC, is the last thing that needs to be done," says lawyer Jake Chervinsky.
Some believe that this way the email addresses of the entire BitMEX user base have been disclosed - different recipients have received different elements.
Binance said it was aware of "a large-scale diversion of user email addresses from another exchange" and recommended that affected customers immediately change the email addresses associated with their platform accounts.
The same statement was made by the OKEx exchange, noting that requests from users wishing to change their email addresses will be given priority.
UPD: According to the updated information, the problem was caused by a software error. So far it has been identified and fixed. Apart from email addresses, no other personal data or account information has been distributed.
BitMEX warned users about the dangers of phishing attacks, reminding that it sends its emails only from "[email protected]" and "[email protected]" and will never offer to transfer funds, except through the deposit address specified in the account on the exchange.
UPD2: Larry Cermack, an analyst at The Block, suggests that a total of more than 30,000 addresses could have been in the public domain.
UPD3: The BitMEX Twitter account was also hacked, with the following messages: "Hacked. Take your BTC and run. Last day of withdrawal". They were deleted 3 minutes after publication. BitMEX did not comment.