Bit24.cash, an Iranian crypto trading platform, has apparently inadvertently exposed the sensitive KYC data of nearly 230,000 users, according to recent research.
According to an investigation conducted by Cybernews, the Iranian crypto exchange Bit24.cash misconfigured a high-performance object storage system instance, inadvertently granting access to cloud storage containers containing the platform’s Know Your Customer (KYC) data.
The researchers learned that approximately 230,000 Iranian citizens have fallen victim to a misconfiguration, which led to the exposure of their written consent to regulations, along with sensitive details such as passports, IDs, and credit cards.
In a commentary to Cybernews, a spokesperson for Bit24.cash called the claims “inaccurate and misleading,” emphasizing that there is no evidence of a data breach or unauthorized access to sensitive user information.
“The reference to a misconfigured MinIO instance granting access to S3 buckets containing KYC data is wholly untrue and does not align with our system architecture or security protocols. We can confirm that our MinIO setup and cloud storage containers remain secure, and there has been no unauthorized access to any sensitive user data.” said Hossein Amini, a security engineer at Bit24.cash
Although Amini reassured that user data is safe and secure, Cybernews encouraged concerned users to reach out to the platform’s support regarding the matter.
As earlier reported, Bit24.cash, along with other Iranian crypto exchanges like Wallex.ir, Excoino, and Aban Tether, accounted for 12% of all funds, both domestic and international, that flowed to Iranian exchanges in 2022.
Based on the TRM Labs report, approximately 90.3% of counterparty funds sent to Iranian exchanges originated from external exchanges, 4.9% from smart contracts, and 4% via unhosted wallets.