The BitMEX management released a statement on Monday, November 04, 2019 on the email disclosure of customers over the weekend. According to the update, the exchange has reached out to many of its users and promised that those that have not been contacted would soon be.
The platform acknowledged that the process involved in reaching out to customers who may have privacy concerns due to the email leak is extensive.
In a blog post, the company wrote:
“This is a staggered process, to ensure that the proper processes are all followed, the delivery is logistically smooth and that all underlying security concerns are appropriately covered. If you have not yet heard from us already, you will do very soon.”
The company stated that, On Friday, November 1 at 06:00 UTC, many of their customers received emails containing the email addresses of other customers in the “To” field, unwittingly exposing them. The email was a general update on the company’s upcoming changes on the weighting of its indices.
The company expresses regrets on the occurrence and stated that it would do everything within its power to ensure that privacy concerns of all affected customers are met.
A Tweak And Error
The release stated that the company had built an in-house system that handles mail rendering and translation but the November 1 email was the first time BitMEX was sending bulk email to every customer at once.
This necessitated tweaking of the tool,
“to send single SendGrid API calls in batches of 1,000 addresses. Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses.”
The release stated that when the operators noticed the leak, they stopped further sending of the emails.
The company believes that this is a process failure and not really the fault of their engineers. They added that:
“Beyond email addresses, no personal or account information has been disclosed. At no point were any of our core systems at risk.”
In the post by the BitMEX deputy chief operating officer, Vivien Khoo, she stated that the risk the clients face is understandable since many users of BitMEX services likely use the same email across other services and the very human tendency to use the same password exposes individuals to risks of hacks on platforms that may not even relate to crypto.
BitMEX has already initiated remedial services and warns users to beware of phishing email attempts adding:
“Please be vigilant against phishing attempts. Emails from BitMEX are sent from “firstname.lastname@example.org” and “email@example.com”. We recommend adding these addresses to your contacts list. We will never ask for your password.”