Huobi allowed a user-data leak for two years

The cryptocurrency exchange Huobi has remedied a data leak that, it is reported, jeopardised users’ assets since June 2021. This was brought to attention by white-hat hacker Aaron Phillips.

According to him, the breach was linked to the disclosure of credentials granting write access to all Huobi AWS S3 storage buckets. Phillips first notified the exchange of the incident in June 2022.

“Anyone with access to the credentials could alter content on Huobi domains, including huobi.com and hbfile.net. The breach also exposed user data and internal documents,” the researcher said.

Phillips says the severity of the breach was significant and could have led to “the largest cryptocurrency theft in history.” However, he found no evidence that the breach was used to carry out an attack.

The hacker highlighted vulnerabilities in Huobi’s content delivery networks (CDN) and sites that could enable malicious scripts to be injected. He said the CDNs could have compromised every Huobi login page, potentially affecting every user who visited the site or used the Huobi app over the past two years.

“Users risked losing their accounts and crypto assets and exposing confidential information such as contact details and balances, including Huobi’s off-exchange trading data,” Phillips added.

Representatives of the exchange told The Block in a comment The Block, that their team removed the compromised account, revoked file-access permissions and secured the cloud storage on June 21. The disclosure also exposed the contact information of 4,960 clients of the trading platform.

“The breach did not include confidential information and did not affect user accounts or the security of funds. The incident occurred on 22 June 2021 due to staff missteps related to the S3 bucket in the test environment of Huobi’s Japanese site on AWS. The corresponding user information was fully isolated on 8 October 2022,” Huobi said.

The company emphasised that the Japanese site and the global platform are not connected.

In December 2022, cryptocurrency exchange Gemini reported a data breach of user data following a series of phishing attacks.