Excerpt from Securityaffairs Article, Published on Jan 07, 2024

Inadvertent exposure of sensitive information belonging to nearly 230,000 users has been disclosed by Cybernews researchers, shedding light on a concerning breach at Bit24.cash, an Iranian crypto exchange.

Iran, restricted from foreign financial markets, has increasingly adopted cryptocurrencies. Last year, Iranian crypto exchanges facilitated transactions nearing $3 billion. Compliance with Know Your Customer (KYC) norms is nearly universal for incoming crypto volume in Iran.

Bit24.cash, an over-the-counter crypto exchange in Iran supporting an array of coins and tokens, follows KYC protocols mandating users to verify their identities through official document submissions. The expectation of users entrusting exchanges with such confidential documents is secure data handling.

However, a misconfigured MinIO, a high-performance object storage system, was discovered by Cybernews researchers, granting unintended access to S3 buckets housing the platform’s KYC data. This breach compromised critical documents such as written consent to regulations, passports, IDs, and credit cards, affecting approximately 230,000 Iranian citizens.

Efforts to reach Bit24.cash for comment before publication were unsuccessful. Subsequently, the exposed instance has been secured and is no longer accessible.

Cybernews underscored the severity of compromised KYC verification data on crypto exchange platforms, highlighting the crucial need for robust data protection measures.

To delve deeper into this topic, please read the full article on Securityaffairs.