The service accidentally revealed confidential data of about 230,000 Iranian citizens.
Due to limited access to foreign financial markets, Iran has actively started using cryptocurrency. Last year, Iranian cryptocurrency exchanges conducted transactions totaling almost $3 billion. Almost the entire volume of incoming cryptocurrency in Iran meets the Know Your Customer (KYC) requirements.
Bit24. cash, an Iranian OTC cryptocurrency exchange that supports more than 300 cryptocurrencies, is no exception. During the KYC process, which aims to prevent criminal activity, users must verify their identity by uploading official documents. Given the confidential nature of these documents transmitted to exchanges, users can rightfully expect organizations to protect them securely.
However, Cybernews researchers found an improperly configured instance of MinIO (a high-performance object storage system) that accidentally provides access to S3 buckets (cloud storage containers) containing the platform's KYC data. The misconfiguration exposed the data of some 230,000 Iranian citizens, providing their written consent to the rules, as well as their passports, ID cards, and credit cards.
Photo of the user with the consent statement, ID card, and bank card
Bit24. cash did not comment on the situation, but the instance is currently unavailable. Cybernews researchers highlighted the critical nature of compromised KYC verification data on cryptocurrency exchange platforms. Experts stressed that attackers can use the disclosed data for identity theft, fraudulent transactions and phishing attacks.
In addition, with access to such comprehensive personal and financial data, cybercriminals can impersonate individuals, gain unauthorized access to accounts, perform fraudulent transactions, and potentially cause significant financial and personal harm to affected users.
Due to limited access to foreign financial markets, Iran has actively started using cryptocurrency. Last year, Iranian cryptocurrency exchanges conducted transactions totaling almost $3 billion. Almost the entire volume of incoming cryptocurrency in Iran meets the Know Your Customer (KYC) requirements.
Bit24. cash, an Iranian OTC cryptocurrency exchange that supports more than 300 cryptocurrencies, is no exception. During the KYC process, which aims to prevent criminal activity, users must verify their identity by uploading official documents. Given the confidential nature of these documents transmitted to exchanges, users can rightfully expect organizations to protect them securely.
However, Cybernews researchers found an improperly configured instance of MinIO (a high-performance object storage system) that accidentally provides access to S3 buckets (cloud storage containers) containing the platform's KYC data. The misconfiguration exposed the data of some 230,000 Iranian citizens, providing their written consent to the rules, as well as their passports, ID cards, and credit cards.
Photo of the user with the consent statement, ID card, and bank card
Bit24. cash did not comment on the situation, but the instance is currently unavailable. Cybernews researchers highlighted the critical nature of compromised KYC verification data on cryptocurrency exchange platforms. Experts stressed that attackers can use the disclosed data for identity theft, fraudulent transactions and phishing attacks.
In addition, with access to such comprehensive personal and financial data, cybercriminals can impersonate individuals, gain unauthorized access to accounts, perform fraudulent transactions, and potentially cause significant financial and personal harm to affected users.
