Data Breach Leaves Bezop ICO Participants Exposed
April 29, 2018 by Ian Edwards
An unsecured database containing the sensitive private data of over 25,000 investors in the Bezop Network ICO was recently discovered, cybersecurity firm Kromtech said in a recent report.
Unsecured Database Found by Cybersecurity Firm
A MongoDB database containing “full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs” of participants in the Bezop ICO was left online without any security, leaving it open to the public, according to a report by cybersecurity firm Kromtech.
UK-based Bezop held an ICO in December 2017 to fund their Ethereum-based decentralized eCommerce platform. The token sale for their cryptocurrency BEZ was promoted by John McAfee, who later became an advisor to the project.
ICO of the week: BEZOP.IO. Bezop is a distributed version of https://t.co/d4FBsqmKpI. it allows simple and secure creation of e-commerce sites – searchable in the same manner as Amazon – but with no Amazon as middle man. This could be as huge as it gets in the blockchain world.
— John McAfee (@officialmcafee) January 2, 2018
I have become an advisor to bezop.io. I recommended them recently and, as an early investor in their ICO, I want to make sure they succeed in implementation. I love Amazon,.com, but I want everyone to have the ability to be their own Amazon if they want to start an e-business. pic.twitter.com/mSzLkaA17W
— John McAfee (@officialmcafee) January 7, 2018
On April 11th, Kromtech researcher Bob Diachenko contacted Bezop on Twitter, notifying them of the unsecured database:
@BezopNetwork guys, one of your databases is misconfigured and facing public web now. 25K active users passwords, wallets, links to scanned IDs. Pls secure.
— Bob Diachenko (@MayhemDayOne) April 11, 2018
Subsequently, Bezop made a public announcement on their blog on April 24th, notifying their community of Kromtech’s upcoming report, stating that the compromised “database has since been closed and secured.” The next day, Kromtech published a report of their findings.
The report stated that a table in the database was named “Bounty”, indicating that the information was for those who had participated in Bezop’s bounty program. However, it appears the startup’s data problems went beyond bounty participants and included other ICO investors, with issues beginning around the time Bezop was promoted by John McAfee.
On January 8th, Bezop sent an email to investors in the ICO notifying them that there had been security threats which could have compromised their personal data that they had since resolved:
“This email is to inform all our investors of a recent security threat. Earlier Today, We were DDOS’ed . while cloudflare’s network helped greatly, This battle isnt over. We have now been alerted by a top ‘whitehat hacker’ who found worrying loopholes that can lead to more ddos or worse expose user information. These issues have now been resolved. We urge everyone to quickly go to our app http://bezop.io/app right away and request a password reset. Note : While Trying to reset , Be aware that Your email is case sensitive. Thanks in advance. Bezop Team”
Bezop’s Troubled ICO Process
According to sources, the compromised database was secured “within 24 hours or less” of the original breach. They also tweeted a similar message:
The dB server is not online & Has not been for quite a while. The only occourance we know of and can confirm is the January exploit. Those who had access to that article will have access to these same images .
— Bezop Network (@BezopNetwork) April 26, 2018
Kromtech’s Diachenko told Bitsonline that the database was taken down shortly after he contacted Bezop on Twitter, indicating it could still have been under their control. However, Diachenko’s tweet was public and could have been seen by hackers who held the database, and who subsequently took it down themselves. It would have been truly poor security practice had Bezop left their investors’ personal information unsecured on the internet for three months after knowing about the initial breach.
Data security wasn’t the first issue to strike the Bezop ICO. In response to scores of complaints from investors and bounty program participants, they issued a statement in which they announced “We clearly got caught with our pants down around our ankles during the ICO. What you need to understand is that we were a very small company at the time with very limited resources.”
This latest setback shows that the risks of investing in ICOs, even those endorsed by McAfee, pertain not only to losing money. It is also possible that ICO organizers can mishandle their investors’ private data, leaving them open to identity theft and a loss of privacy.
Shout out in the comments section below. What do you think of Bezop’s handling of the situation?
Images via Pxhere, Pixabay