Huobi Discreetly Patches Data Vulnerability Exposing Customer Funds
Summary: Users' personal information, including email addresses and account balances, was in danger, and they may lose their crypto assets. Huobi said that only a limited number of users' contact information was compromised, and the information did not contain sensitive data. The incident was resolved by the Huobi Security Team.
Huobi, a cryptocurrency exchange, secretly patched a data vulnerability that had exposed customers’ funds since June 2021. According to white hat hacker and citizen journalist Aaron Phillips, the breach resulted from the disclosure of credentials providing write access to all of Huobi’s AWS S3 buckets used for cloud storage.
Could Have Been Largest Crypto Theft
Huobi’s domains, such as huobi.com and hbfile.net, might have been tampered with by whomever gained access to the credentials. Phillips said that it was possible for internal papers and user data to be leaked as well.
Phillips noted the seriousness of the incident by claiming that hackers may “carry out the largest crypto theft in history.” On June 20th, Phillips claimed that Huobi had erased the hacked account. And protected its cloud storage after processing over $10 billion in monthly trade activity.
Phillips could not find any indication that the vulnerability had been used in an attack. Moreover, Phillips drew attention to the fact that malicious scripts might be injected into Huobi’s content delivery networks (CDNs) and websites. He speculated that everyone who has signed onto a Huobi service in the last two years via any of the CDNs might have been affected.
Access to All Piece of Info
Moreover, users’ personal information, like email addresses and account balances, was in danger, and there was a possibility that they may lose their crypto assets. Phillips said that this contained information on crypto “whales” as well as OTC trading data from Huobi.
Furthermore, Huobi said that a limited number of users’ contact information was compromised (4,960 to be exact). User accounts and financial security are unaffected, and the sort of information that was disclosed does not contain sensitive data. On October 8, 2022, all user data that was relevant to the case was separated.
Handpicked News: Poly Network Advises Immediate Asset Withdrawal Post Breach
According to the team, there is no connection between the Japanese version of Huobi and the international version of Huobi. On June 21, 2023, after being notified by the white hat team, the Huobi Security Team swiftly closed the relevant file access rights. All affected user data has been removed and the present problem has been resolved.