About $18 Million in Crypto Was up for Grabs Through Leaky Databases

• Two marketplaces have left a trove of sensitive user data unprotected online and accessible to anyone.
• The data could be used to steal crypto from users, change balances, or engage in scam operations against them.
• One of the marketplaces stated that nothing important had been exposed, but this isn’t accurate.

Researchers at CyberNews have carried out a very interesting investigation on how much money in the form of crypto could be sitting out there completely unprotected. What they did was to scan the entire internet for open MongoDB databases and match the information they found there with common keywords in the crypto-currency space. After the preliminary matching, they analyzed the data of each database. They found quite a lot of sensitive information, like marketplace API keys, full user and “know your customer” data, private keys, multisig wallet keys, and secure RPC keys.

By using the above information, one could very easily proceed to the stealing of cryptocurrency worth about $18 million. In many of these cases, the problem came from the poor security implemented in the exposed crypto marketplaces. One of the examples given is “Lykke,” a Swiss marketplace that stored user data on its database without any encryption. Lykke alone has over 100,000 users, a monthly trading volume of $106 million, and over $12 million in yearly revenues. Another example was the Chinese exchange platform “Hubdex,” as it also stored KYC without any encryption.

The exposure was so grave that it would enable malicious actors to change account balances, perform fake trades and deposits, and empty wallets in an instant. This would be catastrophic for both the platforms and the users who trust them. Of course, CyberNews didn’t take advantage of the data but instead tried to contact Hubdex and Lykke. Hubdex hasn’t responded, and they generally seem to be out of reach. Somehow, though, their database was taken offline at some point. Lykke wasn’t quick to respond either, but they eventually acknowledged the notices and assured the researchers that the leaking MongoDB instance would be immediately secured. Upon further investigation, they stated that no personal data was exposed, and no funds were lost due to this mistake.

It is unknown if any of the sensitive data that the “white-hat” researchers located has been stolen by malicious actors or not. We may soon see the private user data being sold on the dark web, although, most probably, those who might have this data would use it for themselves. Besides the security measures that the marketplaces must take, their users will also have to take precautions. If there’s any possibility that you’ve been affected by this incident, transfer your crypto to a secure wallet and reset your passwords everywhere.