Huobi fixed breach leaking users’ contact info.

Major crypto exchange Huobi has silently resolved a massive vulnerability that allegedly exposed user assets for two years.

Per white hat hacker and researcher Aaron Phillips, Huobi accidentally published a file containing Amazon Web Services (AWS) credentials in June 2021, that leaked contact and account information for 4,960 “crypto whales” and internal documents.

The data breach could have easily been “the largest crypto theft in history,” if it were exploited by an attacker, Phillips wrote in his blog.

“Anyone could have used the credentials to modify content on the huobi.com and hbfile.net domains, among others,” Phillips added. “I had full control over data from almost every aspect of Huobi’s business.”

Phillips first notified Huobi of the leak in June 2022, and it took five months to receive a response from the exchange to act on the leak, before Huobi revoked its credentials in June 2023.

The most “dangerous” aspect of the breach involved access to write privileges to Huobi’s content delivery networks (CDNs) and websites.

“Once an attacker can write to a CDN, it’s trivial to find an opportunity to inject malicious scripts. And once a CDN is compromised, all the sites that link to it are potentially compromised too.”

Huobi finally deleted the compromised account, thus securing its cold storage on June 20.

Phillips also claimed that Huobi’s leak exposed a database of over-the-counter (OTC) trades since 2017. The database had details of user accounts, transaction details, and the IP address of traders in a 2TB downloadable file.

Additionally, the breach revealed the inner workings of Huobi’s production infrastructure and gave access to alter JSON files of the firm’s NFT project – Utopo.

Huobi Maintains the Breach “Wasn’t That Bad”

Huobi said in a response on June 1, that the OTC data breach mentioned by Phillips was “not real, but test data.” The leaks involve user information of only 4000 users.

According to Huobi’s response to the incident, the data breach occurred “due to improper operations by personnel related to the S3 bucket in the testing environment of the Huobi Japanese AWS site. The relevant user information was completely isolated on October 8, 2022.”

The exchange also denied that the leak does not involve sensitive information and does not affect user accounts and fund security.

Huobi did not immediately respond to a request for comment.