BTC Markets exposes customer names, emails in botched blast send

BTC Markets, marketed as Australia’s largest cryptocurrency exchange, exposed the names and email addresses of all customers - albeit in batches of 1000 - on Tuesday afternoon after a mistake in a blast email send went undetected.

The company “apologised wholeheartedly” for the error and “strongly advised” customers that did not have two-factor authentication on their accounts already to enable it.

BTC Markets’ standard login screen uses a customer’s email address as the username.

Customers of the exchange immediately expressed concern that the exposure amounted to a list of usernames that could open those with weak account security settings to potential compromise.

BTC Markets CEO Caroline Bowler said on Twitter that "all account holders were affected."

The exchange claims to have "over 270,000" customers "who've traded over $10.5bn".

But as it sent the email in batches of “under 1000” emails - a likely send limit imposed by its third-party email service provider - the maximum number of names and email addresses exposed in a single received email was also 1000.

“[We] use an external system to send client-wide emails,” BTC Markets said in a Facebook post.

“We have used this system without incident for a number of years. 

“Our usual process is to also send test emails. 

“However, today our testing didn’t pick up that the sample email addresses in the batch were added to the same email, rather than sent individually.”

BTC Markets said the batched sends occurred in quick succession and therefore could not be stopped when the error was noticed.

“The process took place very quickly, therefore it was not possible to stop the batch send once the error was realised,” the company said.

BTC Markets said its exchange platform “remains secure and unaffected”.

“Our external communication process has no interaction with our internal system and no password data was exposed,” it said.

The company added that it would self-report the incident to the Office of Australian Information Commissioner (OAIC) “and fully comply with the data breach reporting requirements” in Australia.

“In addition, there will be an internal review and additional rigour placed around data security and training,” the company added.