A leaky database recently unearthed online contains a wealth of sensitive data belonging to thousands of investors in the Bezop cryptocurrency, including photocopies of their driver’s licenses and passports, according to a report from Kromtech Security.
Kromtech announced on Wednesday that Bezop, which offers its own cryptocurrency “tokens” in addition to... some sort of blockchain-based ecommerce app, left a MongoDB database wholly unsecured, exposing “full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs for over 25,000 investors.”
Among the advisers named on the organisation's website is John McAfee, the former security software tycoon turned fugitive turned paid cryptocurrency hustler. (I am Jack’s utter lack of surprise.)
Earlier this year, McAfee revealed that he charges up to $105,000 (£75,400) to promote initial coin offerings (ICOs) on his Twitter account, which at time of writing boasts roughly 821,000 followers. He also announced in March that he was opening up his own “hackproof” crypto-security firm—whatever the hell that means.
ICO of the week: BEZOP.IO. Bezop is a distributed version of https://t.co/d4FBsqmKpI. it allows simple and secure creation of e-commerce sites - searchable in the same manner as Amazon - but with no Amazon as middle man. This could be as huge as it gets in the blockchain world.
— John McAfee (@officialmcafee) 2 January 2018
“I have become an adviser to bezop.io,” McAfee apparently wrote in a testimonial featured on Bezop’s website. “I recommended them recently and, as an early investor in their ICO, I want to make sure they succeed in implementation.”
Bezop was not immediately reached for comment.
In a statement to Threatpost, the organisation's CTO, Deryck Jones, said a notification was sent out earlier this year warning people that the Bezop had been targeted by a DDoS attack and also of “security holes exposing that data.” (Threatpost noted it was unsure if Jones was actually referring to the passports and other information uncovered by Kromtech.)
On Medium yesterday, Bezop disclosed that McAfee was paid to promote its cryptocurrency and said investors were notified about the breach on January 8. Kromtech, meanwhile, says the investors’ data was publicly accessible online as late as March 30.
Bezop launched a “bounty” programme in early January, according to Kromtech, around the time of its ICO. One of the tables in the exposed Bezop database, which researchers said was not protected by a password and could be accessed by virtually anyone online, was called “Bounty,” suggesting the data it contains may belong to the people who participated in the programme.
“It does not seem to be a very good start for a company such as this to place personal information of anyone on the Internet and open to the public, especially it’s early investors,” Kromtech said.
“In fact, it’s a little difficult to grasp how it could happen, even if by mistake,” Kromtech added. “Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally.”