QuickBit, a Swedish cryptocurrency exchange listed on the NGM Nordic MTF market, allegedly leaked 300,000 customer records via an unprotected MongoDB database. The exchange confirmed the event in a series of updates on their investor relations board.
The leak, detailed by security researcher Paul Bischoff, first came to light after security aggregator Shodan noted the existence of the open database. QuickBit said that an outside contractor left the data unprotected while attempting a security upgrade.
A translated excerpt from their report:
QuickBit has recently adopted a third-party system for supplementary security screening of customers. In connection with the delivery of this system, it has been on a server that has been visible outside QuickBits firewall for a few days, and thus accessible to the person who has the right tools.
During the delivery period, a database has been exposed with information about name, address, e-mail address and truncated (not complete) card information for approximately 2% of QuickBit’s customers.
Bischoff wrote that the QuickBit team pulled the database on or about July 3 after receiving notice that it was open. The records contained full names, addresses, email addresses, user gender, and dates of birth. QuickBit said it exposed no passwords or social security numbers and that no cryptocurrency keys leaked.
Image via Comparitech.
“In addition to those records, we also discovered 143 records with internal credentials, including merchants, secret keys, names, passwords, secret phrases, user IDs, and other information,” wrote Bischoff.
The company went public on July 11 with a market cap of about $22 million. We reached out to QuickBit for further comment. “Data security is of utmost importance for QuickBit,” they wrote. “We will publish a public version of the incident report on our website shortly.”
— Nordic Growth Market (@ngmexchange) July 11, 2019
QuickBit image via Twitter