BitMEX recently sent an email to all its users but managed to reveal the email addresses of every single user in the process. This will have acted as a goldmine for hackers and phishers, with attempts to profit from BitMEX’s folly at the expense of innocent users already starting. We outline some of the ways in which hackers will be able to use the email list and what you can do to protect yourself if you are on it.
Method: The most obvious method of using the email trove is to send phishing emails to users in an attempt to lure them into clicking on links. These are likely to take the form of emails seemingly from reputable companies that require you to take urgent action, i.e. there has been unauthorized access to your account and you need to take action to deal with it.
Remedy: Treat every such email with suspicion, and if you feel you need to take action DO NOT click on the link but head to the relevant account through a web browser instead.
Method: With your email address, hackers can try to break into your BitMEX account, your email account, and every other account they can think of that might use that email address. This can be done in a number of ways, such as through phishing emails as stated above or brute force hacking attempts. The simplicity of gaining access to someone’s email address has already been outlined by Twitter user TheMask who cross checked the emails with databases of common passwords and found 229 users who could have been compromised within minutes following the leak.
So i ran a quick search on the bitmex emails on 1 of my databases and ive gotten quite a few hits( cleartext passwords)
Do you guys think i should email the ppl i found passwords for?
— TheMask (@TheCrypt0Mask) November 1, 2019
Remedy: Change your BitMEX email address and password IMMEDIATELY, and ideally the password associated with the email account too. Make sure you use long, complex passwords that are not easily guessed, with numbers and special characters. If you can’t remember complex passwords, use a password manager to create and store them for you (do not use the compromised email address for your password manager registration).
Bypassing Two-factor Authentication
Method: This isn’t so much a result of the leak, but having gained an email address and a password, hackers will be hoping that users don’t have two-factor authentication (2FA) set up for their accounts. Having 2FA makes it almost impossible for the hacker to get into your account unless they also happen to have your phone and have logged into it.
Remedy: Set up 2FA for EVERY SINGLE ACCOUNT that offers it, but particularly your email account. Having 2FA is probably the best defense against hackers right now.
The Nuclear Option
If you don’t want to take any risks whatsoever following the leak, your best option is to delete the impacted email account entirely and set up a brand new one (with 2FA of course) for all the accounts that were associated with it. If deleting the email address is not an option, just set up the new one anyway and move things across, deleting all emails, contacts and personal information where possible from the old account.
Not Fun, but Necessary
Taking measures such as these is not a fun way to spend your time, particularly when it comes off the back of someone else’s error, but BitMEX have ensured that it’s something that must be done, and the more thorough you are the less chance you have of being impacted by their mistake.