Lykke and Hubdex Users at Risk from Poor Security Practices on Crypto Marketplaces
Lyxxe and Hubdex marketplaces were found to have made a variety of private information publicly accessible.
A report published by CyberNews, an independent cybersecurity research publication, warns crypto enthusiasts about the dangers of conducting transactions in unsafe online marketplaces. It states that at least $18 million in cryptocurrency has been exposed to theft due to poor cybersecurity.
CyberNews revealed two exchanges with “dangerously unsafe” security: the Lykke Marketplace and Hubdex.
Lykke, originating from Switzerland, revealed their API keys in a publicly accessible database. API keys can be used to directly access an exchange to perform transactions. The set up left plenty of room for malicious actors to transfer cryptocurrency into their own accounts, or interfere with trades conducted between other users.
In addition, Lykke was also discovered to have exposed the private keys of its customers. Private keys function as passwords for crypto wallets; so Lykke’s compromised security gave access to anyone who looked in the right place to spend, trade, or transfer another user’s cryptocurrency without their knowledge or consent.
Even though some customers made us of multi-sig wallets, which require at least two authorisations before the funds are made available, Lykke’s exposed database also recorded the redeem scripts and the private keys to these wallets—both of which are adequate in enabling hackers with only modest technical skills to tamper with their cryptocurrency.
CyberNews reported that knowledge of this information “allowed direct access to users’ funds, meaning the full ability to steal those funds or manipulate any data.”
Lykke immediately responded to the report by making the public database private and reaching out to customers that were affected. The marketplace explained that the database was only “available on read-only”.
They assured CyberNews that “no personal data was exposed and no funds were lost,” and that they were taking additional measures to avoid such situations from happening again in the future.
Chinese marketplace, Hubdex, was also thrust into the hot seat for leaving 1.1 million private keys exposed on a database accessible to the public. The ability to change passwords was also readily available, which enabled any malicious parties to log into accounts of their choosing.
Furthermore, the exchange left API keys and multi-signature wallet keys publicly available, giving hackers a variety of ways to exploit the exchange.
An additional concern is the extent of personal data that Hubdex left exposed. Since cryptocurrency marketplaces are obligated to collect know your customer (KYC) data as part of regulations to prevent the mishandling of digital assets, the official IDs, names and addresses of users were readily available to the public.
The database has been taken offline, following CyberNews reaching out to China’s National Computer Network Emergency Response Technical Team (CERT), after attempts to contact the marketplace itself failed.
With over 19,000 cryptocurrency marketplaces around the world, there is a pressing concern for increased cybersecurity and regulations around the database of crypto marketplaces. The threat is not just to users’ crypto wallets, but to their identities and personal safety as well.