A leaky database recently unearthed online contains a wealth of sensitive data belonging to thousands of investors in the Bezop cryptocurrency, including photocopies of their driver’s licenses and passports, according to a report from Kromtech Security.
Kromtech announced on Wednesday that Bezop, which offers its own cryptocurrency “tokens” in addition to… some sort of blockchain-based e-commerce app, left a MongoDB database wholly unsecured, exposing “full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs for over 25,000 investors”.
Among the advisors named on the organisation’s website is John McAfee, the former security software tycoon turned fugitive turned paid cryptocurrency hustler. (I am Jack’s utter lack of surprise.)
Earlier this year, McAfee revealed that he charges up to $US105,000 ($138,596) to promote initial coin offerings (ICOs) on his Twitter account, which at time of writing boasts roughly 821,000 followers. He also announced in March that he was opening up his own “Medium earlier this week, Bezop disclosed that McAfee was paid to promote its cryptocurrency and said investors were notified about the breach on January 8. Kromtech, meanwhile, says the investors’ data was publicly accessible online as late as March 30.
Bezop launched a “bounty” program in early January, according to Kromtech, around the time of its ICO. One of the tables in the exposed Bezop database, which researchers said was not protected by a password and could be accessed by virtually anyone online, was called “Bounty”, suggesting the data it contains may belong to the people who participated in the program.
“It does not seem to be a very good start for a company such as this to place personal information of anyone on the Internet and open to the public, especially it’s early investors,” Kromtech said.
“In fact, it’s a little difficult to grasp how it could happen, even if by mistake,” Kromtech added. “Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally.”