When the words “crypto whales” and “data leak” appear in the same sentence, every blockchain enthusiast knows it spells potential disaster. This was the potential scenario Huobi, a major crypto exchange, danced uncomfortably close to, as a massive vulnerability loomed over the platform. It allegedly left user assets exposed for nearly two years, revealed by white hat hacker and researcher Aaron Phillips.
Phillips discovered that Huobi inadvertently published a file containing Amazon Web Services (AWS) credentials in June 2021. As a result, contacts and account details of nearly 5,000 “crypto whales” and internal documents were out in the open. The chilling reality was that this data breach could have easily manifested into “the largest crypto theft in history” if malicious forces had exploited it.
Phillips highlighted the scope of the breach’s potential impact. In simple terms, anyone could have used the exposed credentials to modify content across huobi.com and other associated domains. The leakage also granted access to write privileges to Huobi’s content delivery networks (CDNs) and websites – the chilling prelude to potential injection of malicious scripts.
Moreover, the leak exposed a database of over-the-counter (OTC) trades since 2017, including user accounts, transaction details, and traders’ IP addresses – a veritable treasure trove for any opportunist with ill intentions.
However, Huobi did not share Phillips’ alarm. They downplayed the breach, stating it was “not real, but test data.” They further explained the data breach occurred due to the mishandling of S3 bucket by personnel operating in the testing environment of the Huobi Japanese AWS site. As per their version of events, the affected user data, covering only 4,000 users, was completely isolated on October 8, 2022.
Huobi further denied that any sensitive information had been exposed or that user accounts and fund security had been compromised. While this should come as a sigh of relief, the seeming tone-deafness of the exchange to the potential calamity raises concerns about security awareness and readiness. Nonetheless, a catastrophe was averted, but the lingering question is at what cost and whether it will serve as a wake-up call for the necessary fortification of cybersecurity.
Source: Cryptonews