Exchange Blunder Exposes Names and Email Addresses of ‘270,000 Users’

2020-12-3 14:48

It’s been a bad start to the month for one exchange.

BTC Markets, which is based in Australia, has inadvertently revealed the names and email addresses of its users after a market campaign went awry.

According to Business Insider Australia, an estimated 270,000 users were affected.

The exchange was announcing that it had listed the Tether stablecoin in an email to customers. Normally, these emails are addressed directly to one user — but those who received this message could also see the contact details of 999 others.

It appears that this error was replicated dozens of times, with BTC Markets customers being included in different batches of 1,000 addresses.

On Twitter, the exchange wrote:

Earlier today, an announcement from BTC Markets exposed client names and email addresses. This is a deeply regrettable situation and we apologise wholeheartedly for it.

— BTC Markets (@BTCMarkets) December 1, 2020

The company also stressed that its platform remains secure and unaffected by the blunder — stressing that password information was not compromised either. It is now urging customers to activate two-factor authentication. Explaining what caused the data breach, the exchange added:

“BTC Markets uses an external system to send client-wide emails. We have used this system without incident for a number of years. Our usual process is to also send test emails. However, today our testing didn’t pick up that the sample email addresses in the batch were added to the same email, rather than sent individually. In this case, the batch sizes were under 1,000 email addresses.”

BTC Markets added that it will now report itself to the Office of Australian Information Commissioner — vowing to “fully comply with the data breach reporting requirements.” An internal review will also take place, and there will be “additional rigour placed around data security and training.”

Affected users didn’t react kindly to the announcement:

You lost a long term customer today who had recommended many new customers to your service over the years. I have contacted all of my peers and all will cease using your amateur platform immediately.

— DeFi Investor (@DeFi_Investor) December 1, 2020

It's extremely bad that I can scroll through everyone's email address that was on the email. More worrying is that a lot of your customers used their work email address' which makes them easy targets for would be thieves and scammers. Crypto exchanges really need to up their game

— Darcellous (@Darcellous1) December 1, 2020

Irresponsible, unprofessional and incompetent. I have spoken with my friends and colleagues who I've regrettably brought to your exchange. I am also lodging complaints with ASIC and OAIC over your incompetent treatment of personal data. Who knows what else can be stolen from you!

— Abe Alansi (@AbeAlansi) December 1, 2020