Bezop in the Line of Fire After Reports That It Leaked a Quarter of a Million Investors’ Personal Info

Bezop is learning the hard way about shoring up its database to the hilt to avoid leaks that expose its users’ private information.

Bezop, who enjoys the presence of John McAfee as an advisor, is being accused of leaking a bounty of its users’ personal information.

News of the leak surfaced this week from Kromtech Security Center. Its researchers found the leak, which exposed everything ID thieves need to carry out their misdeeds.

Let’s discuss.

How this happened

At the end of March, Kromtech’s researchers reported that they’d discovered a leak that exposed the full names, addresses, email addresses, encrypted passwords, and wallet information for more than 25,000 investors.

But that’s not all. The researchers also found the leak put out to the public links to scanned passports driver’s licenses, and other IDs.

The blame seems to rest squarely on the shoulders of Bezop. The researchers found that the MongoDB database in use had no security.

According to Cripto Turk, the front end store side of the Bezop’s system is based on MongoDB, HTML5, React JS, and Node.

The McAfee connection

As noted above, John McAfee is an advisor to Bezop’s’ board. At the beginning of the year, he tweeted the following about startup:

That tweet came on the heels of the Bezop token sale, which was held in December. The Bezop token is built on an open Ethereum Blockchain.

Kromtech pointed out that around the time of the token offering, Bezop launched its first bounty program. The program was launched to allow people to earn its tokens in exchange for promoting it. They can post to social media sites like Facebook, as well as post to forums using an approved Bezop signature. They can also moderate forums, or write stories about Bezop to receive its tokens.

According to Kromtech:

One of the tables in the publicly open database was named “Bounty”, so it appears that the database left unprotected may contain the information for the people who invested and participated in this part of the program.

Lesson learned

In its note about its findings, a Kromtech writer didn’t mince words about how this leak doesn’t bode well for Bezop.

Most would agree with Kromtech’s note that this is not a “very good start for a company such as this to place personal information of anyone on the Internet and open to the public, especially its early investors.”

Also, few may disagree with the following statement from Kromtech:

“In fact, it’s a little difficult to grasp how it could happen, even if by mistake.  Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration, which should not even be risked internally.”

It was further stated how making investors’ personal information public was obviously not a good practice and a huge mistake to make.

We hope that they ensure that their new product, which uses MongoDB as part of its design, and any future bounty programs using the same, will be configured far more securely than this MongoDB instance turned out to be.  Ease of use should never be placed above security, even during the development cycle.

Source: Read Full Article