Industry News

Hundreds of thousands of cryptocurrency investors put at risk after BuyUCoin security breach

Hundreds of thousands of cryptocurrency investors put at risk after BuyUCoin security breach
  • Data from Indian cryptocurrency BuyUCoin has been leaked online
  • Notorious hacking group appears to have accessed unsecured MongoDB database

Another day, and another report that a cryptocurrency exchange has been breached by malicious hackers.

Indian cryptocurrency exchange BuyUCoin says that is investigating claims that sensitive data related to hundreds of thousands of its users has been published on the dark web, where it is available for free download.

The 6GB of leaked data is said to have been found in a MongoDB database that BuyUCoin had left unsecured, and included users’ bank account details, email addresses, bcrypt-hashed passwords, mobile phone numbers, and Google sign-in tokens.

The data was subsequently leaked by the ShinyHunters gang which has a history of publishing data breaches.

Such details could, of course, be used by other online criminals to scam and defraud cryptocurrency investors.

Existing customers of BuyUCoin, including security researcher Rajshekhar Rajaharia, have confirmed the authenticity of the data breach by finding their own information in the leaked data.

Screenshots posted on social media of the data leak suggest that information included in the leaked database may have been accessed as recently as last September.

However, for now at least, BuyUCoin is sending mixed messages regarding whether a breach has occurred or not.

Initially a statement from the BuyUCoin’s CEO Shivam Thakral was released saying: “In the mid of 2020, while conducting a routine testing exercise with dummy data, we faced a ‘low impact security incident’ in which non-sensitive, dummy data of only 200 entries were impacted. We would like to clarify that not even a single customer was affected during the incident.”

That statement, however, was later replaced on BuyUCoin’s blog with another that said the company is “investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020.”

The cryptocurrency exchange says that it will keep users updated with its investigation uncovers, and will “conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security.”

I don’t know about you, but I’m not sure that’s going to reassure many cryptocurrency investors at this stage.

There is a simple checklist which administrators of MongoDB databases can follow to help ensure that sensitive information stays out of reach of cybercriminals.

Unfortunately, it is still all too common to find companiess are using older versions of the MongoDB software, which didn’t require a password by default.

Past victims of hacks associated with MongoDB databases breaches have included Verizon, dating website BeautifulPeople, and millions of users of an Android keyboard app.

If reports are confirmed that BuyUCoin left a MongoDB instance unsecured and directly accessible on the internet then it really shows a reckless disregard for the security and privacy of its users.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.