Cryptocurrency exchange Huobi has recently fixed a data breach that has allegedly put users' assets at risk since June 2021, white hacker Aaron Phillips has reported.
According to him, the breach was related to the disclosure of credentials that grant write access to all Huobi AWS S3 cloud storage baskets. Phillips first notified the exchange of the incident in June 2022.
He has said:
"Anyone could have used the credentials to modify content on the huobi.com and hbfile.net domains, among others. Huobi’s credential leak also led to the exposure of user data and internal documents."
Phillips claims the severity of the attack was significant and could have resulted in "the largest crypto theft in history." However, he found no evidence that the breach was used to carry out the attack.
The hacker has highlighted vulnerabilities in content delivery networks (CDNs) and Huobi sites that could lead to the injection of malicious scripts. According to him, the CDNs could have compromised all of Huobi's login pages, which could affect all users who logged into Huobi's website or app in the last two years.