Huobi Crypto Exchange Fixes Breach That Leaked Thousands of Users’ Contact Information

Ad Disclosure
Ad Disclosure

We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships. However, this potential compensation never influences our analysis, opinions, or reviews. Our editorial content is created independently of our marketing partnerships, and our ratings are based solely on our established evaluation criteria. Read More
Last updated:
Ad Disclosure
Ad Disclosure

We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships. However, this potential compensation never influences our analysis, opinions, or reviews. Our editorial content is created independently of our marketing partnerships, and our ratings are based solely on our established evaluation criteria. Read More
Author
Sujha Sundararajan
Author Categories
About Author

Sujha has been recognised as 🟣 Women In Crypto 2024 🟣 by BeInCrypto for her leadership in crypto journalism.

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Ad DisclosureWe believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships. Read more
Source: Pexels

Major crypto exchange Huobi has silently resolved a massive vulnerability that allegedly exposed user assets for two years.

Per white hat hacker and researcher Aaron Phillips, Huobi accidentally published a file containing Amazon Web Services (AWS) credentials in June 2021, that leaked contact and account information for 4,960 “crypto whales” and internal documents.

The data breach could have easily been “the largest crypto theft in history,” if it were exploited by an attacker, Phillips wrote in his blog.

“Anyone could have used the credentials to modify content on the huobi.com and hbfile.net domains, among others,” Phillips added. “I had full control over data from almost every aspect of Huobi’s business.”

Phillips first notified Huobi of the leak in June 2022, and it took five months to receive a response from the exchange to act on the leak, before Huobi revoked its credentials in June 2023.

The most “dangerous” aspect of the breach involved access to write privileges to Huobi’s content delivery networks (CDNs) and websites.

“Once an attacker can write to a CDN, it’s trivial to find an opportunity to inject malicious scripts. And once a CDN is compromised, all the sites that link to it are potentially compromised too.”

Huobi finally deleted the compromised account, thus securing its cold storage on June 20.

Phillips also claimed that Huobi’s leak exposed a database of over-the-counter (OTC) trades since 2017. The database had details of user accounts, transaction details, and the IP address of traders in a 2TB downloadable file.

Additionally, the breach revealed the inner workings of Huobi’s production infrastructure and gave access to alter JSON files of the firm’s NFT project – Utopo.

Huobi Maintains the Breach “Wasn’t That Bad”

Huobi said in a response on June 1, that the OTC data breach mentioned by Phillips was “not real, but test data.” The leaks involve user information of only 4000 users.

According to Huobi’s response to the incident, the data breach occurred “due to improper operations by personnel related to the S3 bucket in the testing environment of the Huobi Japanese AWS site. The relevant user information was completely isolated on October 8, 2022.”

The exchange also denied that the leak does not involve sensitive information and does not affect user accounts and fund security.

Huobi did not immediately respond to a request for comment.

More Articles

Industry Talk
Trump Meme Coin Hit With Legal Complaint – Is a Total Collapse Coming?
Harvey Hunter
Harvey Hunter
2025-02-07 17:52:52
Exclusives
How Tether Co-Founder William Quigley Views Crypto Regulations in Trump’s Second Term
Hongji Feng
Hongji Feng
2025-02-07 17:50:38
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors