BitMEX Email Leak – BitMEX Explains How it Messed Up

On November 1, BitMEX sent an email to thousands of its customers informing them about a change in the way it calculated its indices for its products. However, in the process, it ending up exposing 23,000 email addresses of its customers. In a blog post published today, BitMEX has explained that the accident happened because of a new tool that it used without testing it properly. 

What Happened?

On November 1, BitMEX sent an email to its customers. While the news was a good one for its users – it was updating its methodology for calculating indices for making the reference prices more fair, robust and accurate, it botched up the sharing of the news with them. In the email it sent to users, it also ending up sharing the email addresses of thousands of other customers in the “To:” field. No other information was leaked, however.

How it Happened?

BitMEX, in a blog post published today explained how the leak happened. BitMEX wanted to send the update about revamping its indices to all its customers dependably. For that, it has an in-house system dedicated to managing “the necessary rendering, translation, staging, and piecemeal (as not to trigger rate limits) sending of important email”. It also clarified that it had not sent an email to all its customers at once since 2017.

According to the blog, when BitMEX initiated the send, it realised that it would take more than 10 hours for the process to complete. The team wanted that all its customers should receive the email within a reasonable time. To enable this, the team rewrote its tool for sending email so that to “send single SendGrid API calls in batches of 1,000 addresses”.

The blog post further explained that since the team was short on time, it deployed the tool without conducting the necessary QA checks. However, it did not immediately realise that the tool would bunch together the addresses in the “To:” field which would then become visible to all their recipients.

To handle this, the tool was quickly rewritten to send single SendGrid API calls in batches of 1,000 addresses. Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses.

As soon as they realised their mistake, they immediately put a halt to the sending of the emails.

How is BitMEX Remedying The Blunder?

BitMEX, on the same day, had shared on its Twitter handle that users’ funds were safe.

The exchange has also taken several other measures to ensure that users are not affected by the leak.

• BitMEX’s support and security team is monitoring access patterns to identify suspicious activity on the platform after the leak. It has done human reviews of several accounts.
• It has been doing human reviews of withdrawals. It has cancelled requests from accounts that did not have 2-factor authentication, were withdrawing to a previously unseen Bitcoin address, were submitted with a previously unseen IP addresses or were made after the email leak had occurred.
• BitMEX has forced all users with balances and without 2FA devices to do a password reset.
• BitMEX has added more agents to its support team to answer questions and address issues related to the incident.

The exchange has also warned their users about possible phishing attempts from hackers who will try to exploit the situation to their gain. Furthermore, it has requested all users to only observe instructions published on official BitMEX communication channels, enable 2FA for their account and use a password manager.

BitMEX’s carelessness in handling user data shows that the crypto industry is in dire need of standardised rules and regulations around handling customer data. Do you think that regulatory bodies across the world need to intervene in the operations of exchanges? Share your views with us in the comments below!