Huobi Exchange Had Leaked OTC Transaction Info, User Data From 2017 To 2021: Report

Wu reported that Huobi exchange has suffered a massive data leak, according to Aaron Phillips, a white hat security researcher.

Breaking: White hat Aaron Phillips disclosed that the Huobi exchange had leaked nearly all OTC transaction information from 2017 to 2021 on a large scale in 2021; some user information, VIP user information and its own technical infrastructure. Read more: https://t.co/QJx45LHLhg pic.twitter.com/ln6pzpbjin

— Wu Blockchain (@WuBlockchain) July 1, 2023

The leaked data includes OTC transaction information, user information, VIP user information, and technical infrastructure data. The leaked data is said to have occurred between 2017 and 2021.

Huobi Leaks ‘Whale Reports’ on Wealthy Users, Source: Aaron

An attacker exploiting Huobi’s mistakes would have had the opportunity to carry out the largest crypto theft in history. The company has previously reported handling over a billion dollars a day in trading volume. If Huobi hadn’t taken action, this breach could have been leveraged to steal user accounts and assets. The company deleted the compromised account and their users are no longer at risk.

Aaron Phillips wrote in a blog post

Huobi has confirmed the incident and stated that it was caused by the irregular operation of relevant personnel in the S3 barrel of the test environment of the Japanese station. The relevant user information was completely isolated on October 8, 2022.

After the incident was discovered by the white hat team, Huobi’s security team took action on June 21, 2023, and immediately closed the relevant file access permissions. The vulnerability has been fixed, and all relevant user information has been deleted. Huobi has thanked the White Hat team for their contributions to its security.

Huobi’s updated response stated that the OTC data mentioned in the article is not real transaction data, but test data. The user information leak only involves 4,000 users. The log shows that only the white hat team has downloaded the data, and the team has also stated that they have deleted it. Therefore, no actual leakage has occurred.