Bit24.cash Crypto Exchange Accidentally Leaks KYC Data of Over 200,000 Users

A recent investigation has revealed that Bit24.cash, a prominent Iranian cryptocurrency trading platform, accidentally exposed the personal data of nearly 230,000 users. This incident occurred due to a misconfiguration in the platform’s cloud storage system.

Cybernews conducted the investigation and discovered that Bit24.cash left its high-performance object storage system instance unsecured. This oversight led to the unintended public access to cloud storage containers holding the platform’s Know Your Customer (KYC) information.

The exposed data included users’ written consents to regulations and sensitive personal details, such as passport, ID, and credit card information. Despite the significant security lapse, a spokesperson from Bit24.cash refuted the claims of a data breach.

“The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols. We can confirm that our MinIO setup and cloud storage containers remain secure, and there has been no unauthorized access to any sensitive user data,” stated Hossein Amini, a security engineer at Bit24.cash.

While Amini reassured the safety and security of user data, Cybernews advised concerned users to contact Bit24.cash’s support for more information.

Bit24.cash is among several Iranian crypto exchanges that have seen significant transaction volumes in 2022. According to a report by TRM Labs, these exchanges, including Wallex.ir, Excoino, and Aban Tether, were responsible for 12% of the total funds transferred to Iranian exchanges during the year. The report further noted that the majority of these funds came from external exchanges, followed by smart contracts and unhosted wallets.