Iranian Crypto Exchange Bit24.cash Reportedly Exposes Sensitive Data of Nearly 230K Users

Iranian crypto exchange Bit24.cash users reportedly suffered a significant data breach exposing sensitive data of nearly 230K citizens. However, the exchange dismissed the allegation as “wholly untrue.”

The breach was attributed to an alleged misconfigured storage system used by the exchange, according to a team of researchers at Cybernews, who initially brought the allegations to light.

The misconfigured MinIO object storage system was left unprotected, granting access to S3 buckets containing users’ KYC documents. The data had information including consent letters, passport information, and credit card details, the researchers explained.

“With access to such comprehensive personal and financial data, malicious actors could impersonate individuals, gain unauthorized access to accounts, execute fraudulent transactions, and potentially cause substantial financial and personal harm to the affected users.”

Cybernews researchers later said that the storage is now secure and inaccessible.

Bit24.cash is among the top 5 largest crypto exchanges in Iran, according to TRMlabs insights. The nation adopted a pro-crypto stance in 2019 to circumvent the sanctions imposed against it.

Bit24.cash – “Wholly Untrue”

In response to the claims, the exchange vehemently refuted the allegation calling it “inaccurate and misleading.”

Hossein Amini, a security engineer at bit24.cash, assured that there is no evidence of data breach or unauthorized access to sensitive data and that user security remains Bit24.cash’s ‘utmost priorities.’

“The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols,” Amini said. He confidently asserted that their MinIO instance and S3 buckets remain secure.

Several breaches have occurred in the past due to unsecured access to users’ information. The recent potential breach of Strike, a Bitcoin Lightning-based payment platform, flagged by online sleuth ZachXBT, claimed to have exposed private emails of users.