Cybernews reports that Iranian cryptocurrency exchange Bit24.cash had almost 230,000 of its users' sensitive information accidentally compromised after S3 buckets storing its Know Your Customer verification data became accessible due to a misconfiguration in its MinIO object storage system.
Information leaked by the misconfiguration included individuals' IDs, credit cards, and passports, as well as their written consent to KYC laws. While Bit24.cash has since secured the misconfigured cloud storage system, the severity of such exposure has been emphasized by Cybernews researchers.
"This breach poses a severe threat, as threat actors could potentially exploit the exposed data for identity theft, fraudulent transactions, and phishing attacks. With access to such comprehensive personal and financial data, malicious actors could impersonate individuals, gain unauthorized access to accounts, execute fraudulent transactions, and potentially cause substantial financial and personal harm to the affected users," said researchers.
Hijacked Ubiquiti EdgeRouters were reported by the FBI, National Security Agency, U.S. Cyber Command, and other law enforcement agencies around the world to have been exploited by Russian state-sponsored threat operation APT28.