Crypto exchange Huobi quietly fixed a data breach that had reportedly put users’ assets at risk since June 2021.
The breach involved the exposure of credentials granting write privileges to all of Huobi's AWS S3 buckets, which the company uses for its cloud storage, according to white hat hacker and citizen journalist Aaron Phillips.
Anyone with access to the credentials could have modified content on Huobi's domains, including huobi.com and hbfile.net. Additionally, user data and internal documents were also at risk of exposure, Phillips said.
The severity of the breach was significant, Phillips added, alleging that it had the potential for attackers to “carry out the largest crypto theft in history.” Huobi, which handles over $10 billion in monthly trading volume according to The Block’s data dashboard, deleted the compromised account and secured its cloud storage on June 20, Phillips reported.
Phillips found no evidence the breach was used to carry out an attack.
Phillips highlighted the vulnerability of Huobi's content delivery networks (CDNs) and websites, which can lead to the injection of malicious scripts. The CDNs could have compromised every Huobi login page, potentially affecting every user who logged into a Huobi website or app over the last two years, he said.
It risked users losing their account and crypto assets and exposed sensitive information, such as contact details and account balances of crypto users. This included a database of crypto whales and Huobi’s over-the-counter (OTC) trade data, Phillips said.
Huobi says it's been fixed
"The incident this time involved the leakage of user contact information on a small scale (4,960 individuals)," Huobi said in an email to The Block. "The type of information leaked does not involve sensitive information and does not affect user accounts and fund security. The incident occurred on June 22, 2021, due to improper operations by personnel related to the S3 bucket in the testing environment of the Huobi Japanese AWS site. The relevant user information was completely isolated on October 8, 2022."
"Huobi Japanese site and Huobi Global site are completely different entities. After being discovered by a white hat team, the Huobi Security Team promptly took action on June 21, 2023, immediately closing the relevant file access permissions. The current issue has been fixed, and all related user information has been deleted. We appreciate the contributions made by the white hat team to Huobi’s security," Huobi added.
Huobi's response to the breach ultimately resolved the issue and secured its cloud storage. However, it took months for the white hat to receive a response from Huobi, and the leaked credentials remained online even after he first notified Huobi of the issue in June 2022, Phillips said.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.