Bit24.cash, an Iranian cryptocurrency exchange, denied claims that it exposed the personal information of its platform users due to a misconfigured storage system.
Alleged KYC data exposure
Earlier today, Cybernews researchers reported that a security flaw on the platform led to the unintended exposure of its users’ Know Your Customer (KYC) data, including IDs, passports, and credit card details, accessible to anyone due to misconfigured cloud storage containers.
The researchers warned that the leak exposes the platform users to threats of identity theft, phishing attempts, and fraudulent transactions.
Cybernews said the vulnerability has been addressed, with the storage now secured and inaccessible as of press time.
Bit24 is one of the leading crypto trading platforms in Iran. The Asian country is one of the few countries that has adopted a pro-crypto stance as part of efforts to circumvent the sanctions imposed against it by Western superpowers.
Bit24 counters claims
In an email response to Cybernews, Bit24 denied the occurrence of the vulnerability following an internal investigation.
Hossein Amini, a security engineer at Bit24, asserted that the mentioned misconfiguration is false and inconsistent with the platform’s system architecture and security protocols.
“The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols. We can confirm that our MinIO setup and cloud storage containers remain secure, and there has been no unauthorized access to any sensitive user data,” Amini reportedly said.
Bit24 has yet to respond to CryptoSlate’s request for additional commentary as of press time.
Data breaches in crypto
Meanwhile, incidents of data breaches are prevalent in the crypto sector because regulated platforms gather personal data during registration. While these Know Your Customer protocols aim to curb illicit activities, safe storage remains a significant challenge.
Last year, CryptoSlate reported about several crypto entities, including Bitcoin-based payment platform Strike and bankruptcy claims agent Kroll, suffering breaches that revealed their users’ information.
