Security researchers have stumbled across a MongoDB database containing the personal details of over 25,000 users who invested in or received Bezop (BEZ) cryptocurrency.
According to cybersecurity firm Kromtech, the database contained information such as full names, home addresses, email addresses, encrypted passwords, wallet information, and scanned passports, driver's licenses, or IDs.
The database stored information related to a "bounty programme" that the Bezop team ran at the start of the year, during which it handed out Bezop tokens to users who promoted the currency on their social media accounts.
A Bezop spokesperson admitted to the breach, claiming the database was inadvertently exposed online while the dev team dealt with a DDoS attack on January 8.
A spokesperson told Bleeping Computer today that no user funds were stolen following this exposure.
The Bezop spokesperson said the database contained details on around 6,500 ICO investors, while the rest was for users who participated in the public bounty program and received Bezop tokens in return.
The data appears to have remained exposed online until March 30, when Kromtech researchers spotted the MongoDB database on a Google Cloud server. The database was without an authentication system in place, allowing anyone connecting to it access to the stored information.
There are 1384 cryptocurrencies as of Jan 2018. One of them had a database of 25K active users with passwords and login details to the accounts/wallets, and also links to scanned documents like passports, driving licenses etc.— Bob Diachenko (@MayhemDayOne) April 10, 2018
Kromtech researcher Bob Diachenko told Bleeping Computer today that the database was taken down within hours after he tweeted the Bezop team.
"That database has since been closed and secured," the Bezop team said this week, also claiming it notified users of the incident already. "Investor identity cards were also not stored on the database rather a URL link to them. This is also offline now."
Diachenko confirmed that an authentication system now protects the database he found at the end of March, albeit there is no way of telling if anyone except the Kromtech team discovered the same database.
This is not the only security-related incident that appears to have affected Bezop users. Earlier in the year, a Steemit blog post accused the company of unnecessarily exposing users by sending ICO registration passwords in cleartext via email.
Bezop is a new cryptocurrency that launched at the end of last year, and whose team recently held an initial coin offering (ICO) to raise money to create a network of blockchain-powered e-commerce stores.
The currency's only claim to fame is that cybersecurity expert John McAfee included Bezop in its "ICO of the Week" recommendations. Bezop later admitted it paid McAfee for the promotion. The currency is currently ranked 728th on CoinMarketCap's website, with a current trading price of $0.06 per Bezop token.