“At no point were any of our core systems at risk”
After the first reports on the accident on Nov. 1, BitMEX released an official statement on the issue Nov. 4, emphasizing that no personal or account information has been disclosed beyond email addresses.
Apologizing for the concern caused by the leak, the exchange added that none of BitMEX’s core systems were at risk at any point.
BitMEX has not sent mass emails since 2017
In the post, written by the firm’s deputy COO Vivien Khoo, BitMEX confirmed that the recent email leak took place on Nov. 1 and was a result of a failure in the company’s internal bulk email service.
BitMEX stressed that they only send mass emails to all users on a rare occasion and only when absolutely necessary, claiming that the exchange has not sent any bulk emails since 2017.
As such, BitMEX elaborated that the BitMEX Indices Update was important enough to be included in a mass email to customers. “It will impact pricing of all of our products — that we felt it necessary to inform all our users about it,” BitMEX explained.
The exchange further admitted that there was a desire to speed up the delivery of emails as BitMEX found out that the initial send request would have taken up to 10 hours to complete. Instead, the exchange preferred to ensure that customers received the same information “on a more reasonable timescale.”
After the exchange discovered the leak, BitMEX immediately stopped further emails from being sent and initiated a number of measures to mitigate the damage such as forced password resets for all users with balances and without two-factor authentication.
Twitter hack was unrelated, BitMEX says
In the post, BitMEX also mentioned hackers taking over the company’s Twitter right after the email leak issue on Nov. 1. The exchange said that the Twitter accident was unrelated to this action, stating that the account was back under BitMEX control within 6 minutes.
Following the news, lawyer and general counsel at decentralized finance startup Compound Finance Jake Chervinsky outlined that Know Your Client regulatory compliance often exposes the public to hacking, phishing and identity theft risks.