Huobi, a major crypto exchange, fixed a data breach that exposed credentials to its AWS S3 buckets, putting users’ data and assets at risk since June 2021.
According to white hat hacker and citizen journalist Aaron Phillips, the breach involved the exposure of credentials granting write privileges to all of Huobi’s AWS S3 buckets, which the company uses for its cloud storage.
Anyone with access to the credentials could have modified content on Huobi’s domains, including huobi.com and hbfile.net. Additionally, Phillips said user data and internal documents were also at risk of exposure.
Phillips added that the breach’s severity was significant, alleging that it had the potential for attackers to “carry out the largest crypto theft in history.”
Huobi, which handles over $10 billion in monthly trading volume according to The Block’s data dashboard, deleted the compromised account and secured its cloud storage on June 20, as reported by Phillips.
Huobi confirmed the breach in an email to The Block, stating that it involved the leakage of user contact information on a small scale (4,960 individuals).
The company said the incident occurred on June 22, 2021, due to “improper operations by personnel related to the S3 bucket in the testing environment of the Huobi Japanese AWS site.” The relevant user information was completely isolated on October 8, 2022.
“Huobi Japanese site and Huobi Global site are completely different entities. After being discovered by a white hat team, the Huobi Security Team promptly took action on June 21, 2023, immediately closing the relevant file access permissions. The current issue has been fixed, and all related user information has been deleted. We appreciate the contributions made by the white hat team to Huobi’s security,”.
Huobi Global
Months of delay and vulnerability
Phillips, however, disputed Huobi’s response, saying that it took months for the white hat to receive a response from Huobi, and the leaked credentials remained online even after he first notified Huobi of the issue in June 2022.
He also highlighted the vulnerability of Huobi’s content delivery networks (CDNs) and websites, which can lead to the injection of malicious scripts.
Phillip stated that the CDNs could have compromised every Huobi login page, potentially affecting every user who logged into a Huobi website or app over the last two years.
He also shared screenshots of confidential reports containing user data and internal documents exposed by the breach.
Phillips said he decided to go public with his findings after failing to get a satisfactory response from Huobi. He hoped his disclosure would raise awareness and accountability in the crypto industry.
