Iranian crypto exchange leaks user passports and IDs


Bit24.cash has inadvertently exposed sensitive data belonging to nearly 230,000 users, as revealed by Cybernews research.

Due to its limited access to foreign financial markets, Iran has embraced cryptocurrency significantly. Last year, Iranian crypto exchanges facilitated transactions totaling nearly $3 billion. Almost all incoming crypto volume in Iran adheres to Know Your Customer (KYC) requirements.

Bit24.cash, Iran’s over-the-counter crypto exchange supporting over 300 coins and tokens, is no exception. During the KYC process, which aims to curb criminal activity, users are required to confirm their identity by uploading official documents. Considering the sensitive nature of these documents shared with exchanges, users rightfully expect organizations to safeguard them securely.

ADVERTISEMENT

However, Cybernews researchers uncovered a misconfigured MinIO (a high-performance object storage system) instance, inadvertently granting access to S3 buckets (cloud storage containers) containing the platform's KYC data.

Bit24.cash data leak
Data example. A user holding its written consent to the platform rules, his credit card and ID attached and visible, too.

This misconfiguration compromised approximately 230,000 Iranian citizens, exposing their written consent to regulations, as well as passports, IDs, and credit cards.

The instance has been secured and is no longer accessible.

Cybernews researchers emphasized the critical nature of compromised KYC verification data on cryptocurrency exchange platforms.

“This breach poses a severe threat, as threat actors could potentially exploit the exposed data for identity theft, fraudulent transactions, and phishing attacks,” they explained.

“With access to such comprehensive personal and financial data, malicious actors could impersonate individuals, gain unauthorized access to accounts, execute fraudulent transactions, and potentially cause substantial financial and personal harm to the affected users.”

Company’s response

ADVERTISEMENT

In an official email response, Hossein Amini, a security engineer at bit24.cash, assured that user security and data protection are their 'utmost priorities.'

The company allegedly investigated Cybernews’ claims, deeming them 'inaccurate and misleading,' and found no evidence of a data breach or unauthorized access to sensitive user information.

“The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols. We can confirm that our MinIO setup and cloud storage containers remain secure, and there has been no unauthorized access to any sensitive user data,” Amini stated.

While he insisted that user data is safe and secure, concerned users are encouraged to reach out to the platform’s support.