A leaky database discovered online contains a wealth of sensitive data belonging to thousands of investors in Bezop cryptocurrency, including photocopies their driver’s licenses and passports, according to a report from Kromtech Security.
Kromtech announced on Wednesday that Bezop, which offers its own cryptocurrency “tokens” in addition to... some sort of blockchain-based e-commerce app, left a MongoDB database wholly unsecured, exposing “full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs for over 25,000 investors.”
Among the advisors named on the organization’s website is John McAfee, the former security software tycoon turned fugitive turned paid cryptocurrency hustler. (I am Jack’s utter lack of surprise.)
Earlier this year, McAfee revealed that he charges up to $105,000 to promote initial coin offerings (ICOs) on his Twitter account, which at time of writing boasts roughly 821,000 followers. He also announced in March that he was opening up his own “hackproof” crypto-security firm—whatever the hell that is.
“I have become an advisor to bezop.io,” McAfee wrote in a testimonial featured on Bezop’s website. “I recommended them recently and, as an early investor in their ICO, I want to make sure they succeed in implementation.”
Bezop was not immediately reached for comment.
In a statement to Threatpost, the organization’s CTO, Deryck Jones, said a notification was sent out earlier this year warning people that the Bezop had been targeted by a DDoS attack and also of “security holes exposing that data.” (Threatpost noted it was unsure if Jones was actually referring to the passports and other information uncovered by Kromtech.)
On Medium yesterday, Bezop disclosed that McAfee was paid to promote its cryptocurrency and said investors were notified about the breach on January 8. Kromtech, meanwhile, says the investors’ data was publicly accessible as late as March 30.
Bezop launched a “bounty” program in early January, according to Kromtech, around the time of its ICO. One of the tables in the exposed Bezop database, which researchers said was not protected by a password and could be accessed by virtually anyone online, was called “Bounty,” suggesting the data it contains may belong to the people who participated in the program.
“It does not seem to be a very good start for a company such as this to place personal information of anyone on the Internet and open to the public, especially it’s early investors,” Kromtech said.
“In fact, it’s a little difficult to grasp how it could happen, even if by mistake,” Kromtech added. “Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally.”