UK bitcoin exchange CoinCut is investigating a possible data breach which exposed sensitive customer information including passport and card data to the public.
The firm’s website was back up and running at the time of writing, although performance is slow.
Visitors last week were apparently able to access directories including images of passports, personal ID and credit and debit cards.
Company spokesperson, Dax Chan, said the firm was treating the incident as “malicious.”
“We’re trying to figure out how that particular directory was made visible to the world – and how the problem leaked out so promptly given that we’re a moderately small Bitcoin vendor in the grand scheme of things,” he claimed, according to CoinDesk.
If he’s right, CoinCut customers may be at risk of identity theft and possible follow-up phishing attacks as the stolen data makes its way onto the cybercrime underground and into the hands of online fraudsters.
Robert Hansen, vice president at WhiteHat Security, argued that the incident is far from unusual.
“I’ve seen a number of applications that have similar vulnerabilities. It’s very common for websites to store sensitive information in publicly accessible web directories,” he added. “It’s a trivial attack to do a directory transversal or iterate through file names to identify what other things might be in that same directory.”
He added that it’s strange for CoinCut to claim to be surprised by the speed of the data leak.
“Information leaks of people who want to use a pseudo-anonymous currency is probably some of the most valuable data on earth to spooks, competitors, as well as the security research community,” he claimed.
Security concerns remain one of the major barriers to greater Bitcoin adoption, with incidents like this only serving to reinforce skepticism about the crypto-currency.
Researchers at Kaspersky Lab told attendees at the BlackHat Asia conference in Singapore earlier this year that blockchain-based digital currencies could be abused by polluting the decentralized databases of crypto-currency transactions.