MongoDB server vulnerability leaks Bezop cryptocurrency user information
According to bleepingcomputer on April 26, Kromtech, a network security company, accidentally discovered a MongoDB database containing personal information of more than 25,000 users who have invested or received Bezop (cryptocurrency), including names, home addresses, and e-mail addresses. Encrypt passwords, wallet information, scanned passports, driver’s licenses, or ID cards.
Bezop was a new cryptocurrency introduced late last year, and its team recently organized an initial release token (ICO) to raise funds to create a blockchain-driven e-commerce network. To make the cryptocurrency famous, cybersecurity expert John McPhee added Bezop to his “ICO of the Week” recommendation letter to join Bezop, but later the Bezop team admitted to paying McAfee for a promotion. Currently, the currency is ranked 728 on the CoinMarketCap website and its trading price is US$0.06 per share.
It is reported that the database stores data related to the “Bounty Plan” that the Bezop team started to run at the beginning of the year. During the project, the team distributed Bezop tokens to users who advertised the currency in their social media accounts.
A Bezop spokesperson stated that the database contains detailed information on about 6,500 ICO investors and the rest is for users participating in the Public Bounty Program and receiving Bezop tokens.
Until March 30, when Kromtech’s researchers discovered the MongoDB database on Google Cloud Server, the data appeared to remain online, and the database did not have a proper authentication system, allowing anyone connected to it to access the stored information.
A Bezop spokesperson acknowledged the violation, claiming that the database was inadvertently exposed on the Internet, but that there was no loss of user funds. In addition, the investor identity card is not stored in the database but is directly linked to their URL, which is currently offline.
The Bezop team said this week that the database has been safely shut down and that its users were notified of the leak. In fact, this is not the only security-related event that affects Bezop users. Earlier this year, the Steelist blog accused the company of sending the ICO registration password in clear text via e-mail, so that users were exposed online unnecessarily.