This morning, BitMex doxxed around 30,000 users emails today by forgetting to hide them while sending messages en mass. There are two reasons that this could end up very bad for those doxxed.
BitMEX just doxxed its users in the most outrageously incompetent way imaginable: forgetting to use blind copy on mass email. Someone must be cleaning out their desk already. https://t.co/KmARzImxnk
— Jake Chervinsky (@jchervinsky) November 1, 2019
The dox will help U.S. regulators go after BitMex
One, is because certain countries are restricted from using BitMex, and apparently, many people are using their fist and last name to sign up on BitMex. U.S. regulators mostly care about BitMex providing access to citizens, and not citizens using the site, but some people might still not want their names associated with a site that’s supposed to be anonymous.
This can also be used as evidence against BitMex, who historically hasn’t made their user base public. Regulators are already investigating BitMex regarding allowing U.S. users on their site, and this will almost definitely be used against them. BitMex is currently located in Hong-Kong, not under U.S. jurisdiction, so they likely have not been forced to give information to U.S. authorities.
It’s easy to match BitMex e-mails with already leaked password databases
Total mails+pass found: 229
Im going to get me a coffee now(15min) and i will start the mass personalized email sending to everyone with a leaked pass.
The leaked passwords i found will be included in the mail for each one of you.
— TheMask (@TheCrypt0Mask) November 1, 2019
Everyone knows that emails and passwords are sold on the darkweb. It’s relevant here because it can be pretty easy for someone who has a database as such match the leaked emails to the leaked ones they own. This means that if someone uses the same password for everything, including their BitMex account, it would grant people with those databases access to their BitMex account and funds.
If someone is able to access a BitMex account this way, they will only be able to change the password if they can also access the email associated with it. Lucky, BitMex only allows withdrawals once per day, and that already happened at 8 a.m. central time.
As long as people aren’t using the same password for their e-mail and bitmex account, they have until 8 a.m. to secure their account and funds.