Iranian Crypto Exchange Faces Data Leak, Exposing Sensitive User Information

Bit24.cash, a prominent Iranian over-the-counter crypto exchange handling over 300 coins and tokens, has inadvertently compromised the personal data of nearly 230,000 users, according to findings by Cybernews research.

Due to Iran's restricted access to global financial markets, the country has increasingly embraced cryptocurrency, with its exchanges facilitating transactions amounting to nearly $3 billion last year. Compliance with Know Your Customer (KYC) requirements is a standard practice for Iranian crypto exchanges, verifying the identity of users during transactions.

Bit24.cash, as part of its KYC process, required users to upload official documents to confirm their identity. However, researchers discovered a misconfigured MinIO instance, a high-performance object storage system, that granted unauthorized access to S3 buckets, containing the platform's KYC data.

Approximately 230,000 Iranian citizens' sensitive information, including written consent to regulations, passports, IDs, and credit cards, were exposed. The misconfiguration has since been rectified, and the compromised instance is no longer accessible.

Cybernews researchers underscored the severity of the breach, noting the potential risks of identity theft, fraudulent transactions, and phishing attacks.

Hossein Amini, a security engineer at bit24.cash, responded to the allegations, asserting that user security and data protection are their top priorities. Amini disputed Cybernews' claims, labeling them 'inaccurate and misleading,' and insisted that there was no evidence of a data breach or unauthorized access to sensitive user information.

Despite the denial, the incident highlights the ongoing challenges in securing personal data in the cryptocurrency space and underscores the need for robust security measures to protect users from potential harm. Concerned users are advised to contact the platform's support for further clarification.