January 8, 2024 at 09:14AM
A misconfigured object storage system at Iranian crypto exchange bit24.cash exposed personal details of 230,000 citizens. Researchers found unprotected and open S3 buckets storing users’ verification documents, including consent letters, passport information, and credit card details. However, bit24.cash assured no evidence of a breach and confirmed securing the storage instance. Unsecured S3 buckets have caused previous breaches.
Based on the meeting notes, the following key takeaways can be drawn:
1. A misconfigured object storage system utilized by the Iranian crypto exchange bit24.cash resulted in the exposure of personal information of approximately 230,000 citizens in Iran.
2. Cybernews researchers discovered that bit24.cash’s MinIO had unprotected and open online S3 buckets, leading to the storage of users’ verification documents, which included consent letters, passport information, and credit card details.
3. Security engineer Hossein Amini assured Cybernews that there was no evidence of a data breach or unauthorized access to the sensitive user information. He emphasized that user security and data protection are top priorities for bit24.cash.
4. Researchers confirmed that the storage instance has since been secured and is no longer accessible.
5. The incident serves as another example of the risks associated with unsecured access to S3 buckets, which has been linked to a number of breaches.
These takeaways encapsulate the significant points from the meeting notes and provide a clear understanding of the situation at hand.