New Cryptocurrency Spills Personal Information of Thousands of Investors – Passports, Wallets, All Included
An unsecured Mongo database has exposed full names, addresses, email addresses, encrypted passwords, wallet information, links to scanned passports, driver's licenses, and other information of over 25,000 investors of Bezop, a newly created cryptocurrency. Researchers at Kromtech Security have revealed that the John McAfee-backed cryptocurrency left a MongoDB database unsecured, spilling personally identifying data.
The company behind this cryptocurrency has now secured the database after they were notified by the researchers. Trying to attract investors, Bezop is one of the many cryptocurrencies that are appearing to flood an already flooded market. The company got paid the backing of McAfee who had tweeted that Bezop "could be as huge as it gets in the blockchain world" refering to it being “a distributed version of Amazon.com." According to Gizmodo, McAfee charges up to $105,000 to promote initial coin offerings (ICOs) on his Twitter account.
Bezop cryptocurrency exposes data of 25K investors through an unsecured database
But, even McAfee can't save Bezop from this utter embarrassment now. Security researchers said that during the time of its ICO in January, Bezop left one of the databases unprotected. This database contained a file called "Bounty" that carried all the data on the people who had invested and participated in the initial public offering.
"It does not seem to be a very good start for a company such as this to place personal information of anyone on the Internet and open to the public, especially it’s early investors," Kromtech said (emphasis is ours).
"In fact, it's a little difficult to grasp how it could happen, even if by mistake. Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally."
In its statement, Bezop has said that it had sent a notice to all its investors on January 8 reporting a DDoS attack that exposed the data. However, the company has failed to clarify why the database was left exposed until March 30 when the researchers discovered it.
Takeaway? don't fall for everything carrying "crypto" or "blockchain" tags even if they are being promoted by popular names. They might just be getting paid for those promotions...