Iranian crypto exchange Bit24.cash leaks user passports and IDs
January 07, 2024
Bit24.cash has inadvertently exposed sensitive data belonging to nearly 230,000 users, as revealed by Cybernews research.
Due to its limited access to foreign financial markets, Iran has embraced cryptocurrency significantly. Last year, Iranian crypto exchanges facilitated transactions totaling nearly $3 billion. Almost all incoming crypto volume in Iran adheres to Know Your Customer (KYC) requirements.
Bit24.cash, Iran’s over-the-counter crypto exchange supporting over 300 coins and tokens, is no exception. During the KYC process, which aims to curb criminal activity, users are required to confirm their identity by uploading official documents. Considering the sensitive nature of these documents shared with exchanges, users rightfully expect organizations to safeguard them securely.
However, Cybernews researchers uncovered a misconfigured MinIO (a high-performance object storage system) instance, inadvertently granting access to S3 buckets (cloud storage containers) containing the platform’s KYC data.
This misconfiguration compromised approximately 230,000 Iranian citizens, exposing their written consent to regulations, as well as passports, IDs, and credit cards.
We reached out to the company but did not receive a response before publishing this article. The instance has since been secured and is no longer accessible.
Cybernews researchers emphasized the critical nature of compromised KYC verification data on cryptocurrency exchange platforms.
If you want to know more about this case take a look at the original post:
https://cybernews.com/security/iranian-crypto-exchange-leaks-passports/
About the author: Jurgita Lapienytė, Chief Editor @CyberNews
Follow me on Twitter: @securityaffairs and Faceboo and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Bit24.cash)