A leaky Mongo database exposed personal information, including scanned passports and driver’s licenses, of 25,000 investors and potential investors tied to the Bezop cryptocurrency, according to researchers.
Kromtech Security said that it found the unprotected data on March 30, adding that it included a treasure-trove of information ranging from “full names, (street) addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses and other IDs,” according to the researchers.
Kromtech researchers, in their overview of the results of its investigation, said that Bezop.io, the organization behind the currency, immediately secured the data after being notified.
Bezop is one of over 1,000 cryptocurrencies in a crowded playing field vying for investor attention. According to Kromtech, the list of 25,000 people included both current and prospective investors promised Bezop cryptocurrency in exchange for promoting the cryptocurrency on social media.
“Bezop sent out a notice back on Jan. 8 during the ICO (initial coin offering), reporting both a DDoS attack and security holes exposing that data,” wrote Deryck Jones, who is listed as Bezop.io’s CTO online, in an email interview with Threatpost. “The Bezop notice went to all investors including me. It was an unfortunate incident and very disappointing.”
He said that it’s not unusual in ICOs for investors to supply personal data, including scanned copies of passports and driver’s licenses, as part of the verification process for both token and coin sales. It’s also unclear if Jones was referring to the same March 30 leaky MongoDB discovery by Kromtech when he referenced the Jan. 8 DDoS attack and data exposure.
Promoters, who were also part of 25,000 who had personal data about themselves stored insecurely online, claim they were denied Bezop tokens despite promoting the cryptocurrency.
Bezop addressed those concerns in a blog post after Threatpost contacted the stakeholders. “In the interest of full disclosure, John McAfee, coinmarketcap, Facebook and all other Bezop promoters were all paid for the promotion of Bezop,” it said.
In an email response to Threatpost, Camelius Ubah, identified as a Bezop.io engineer on the company’s website, said that the leaky storage incident “has already been addressed publicly on January 8, 2018.” He added, “Sorry to inform you that this is not news to us, neither is it to our subscribers.”
Ubah did not address the discrepancy in Kromtech’s discovery of the leaky MongoDB in March versus the public disclosure of the DDoS attack and leaky data disclosure in January.
Bezop also posted Tuesday, in response to Threatpost’s inquiry, a note to investors regarding the January DDoS attack and security hole: “We reported a DDoS attack and a couple of security holes that unintentionally exposed user data such as name, wallet addresses, address on file, copies of identification documents, etc., and that they could possibly be in the public domain. That database has since been closed and secured.”
Bezop cryptocurrency is billed as a “distributed version of Amazon.com” by coin promoter John McAfee. McAfee is listed as an advisor to Bezop on the currency’s website.
Please – I did not imply that BEZOP would replace https://t.co/d4FBsqmKpI. Not ever. I believe BEZOP has the best chance of being one of the top distributed competitors to Amazon, and is an excellent investment, but it is highly unlikely to put Amazon out of business. Bezop.io https://t.co/GiJQsLNMu2
— John McAfee (@officialmcafee) January 5, 2018
In January, McAfee tweeted that Bezop “allows simple and secure creation of e-commerce sites – searchable in the same manner as Amazon – but with no Amazon as middle man. This could be as huge as it gets in the blockchain world.”
“It does not seem to be a very good start for a company such as this to place personal information of anyone on the internet and open to the public, especially its early investors,” Kromtech researchers wrote. “In fact, it’s a little difficult to grasp how it could happen, even if by mistake. Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally.”
Since 2017, there has been a rash of insecure MongoDB, Hadoop and CouchDB installations leaking sensitive data. Last year, more than 28,000 insecure MongoDBs were spotted, Kromtech researchers told us.
At the time, Bob Dyachenko, chief communication officer at Kromtech, said that in some cases, cloud providers such as Amazon were to blame for insecure installations that allow administrators to configure MongoDB installations and other databases with default settings, and do not require user names or passwords for access.
Since then, Amazon and other cloud providers have buttoned up security offering tools to find insecure data, and have been enhancing security to make it harder for administrators to accidentally misconfigure storage buckets.
“Making your investor’s personal information public is obviously not a good practice and a huge mistake to make. We hope that they ensure that their new product, which uses MongoDB as part of its design, and any future bounty programs using the same, will be configured far more securely than this MongoDB instance turned out to be,” Kromtech researchers said in discussing this latest incident.
Since its ICO, Bezop.io has had a bumpy ride. According to reviews of the currency by coin-watchers, those behind the currency have made mistakes such as sending emails with username and passwords to investors in clear text. Others have been critical of the company’s promotional efforts around Bezop.io’s investor acquisition program.