Cryptocurrency exchange Binance suffered a data breach that exposed internal systems information on code collaboration site GitHub. While Binance downplayed the risk from the leak, their strong response raises questions.
TLDR
- Binance code and internal data was leaked on GitHub, including infrastructure diagrams, passwords, and authentication details
- Binance filed a takedown request to remove the data, claiming it posed a “significant risk”
- Binance now says the leaked data was outdated and poses a “negligible risk” to users
- The leaked data included information on how Binance handles passwords and multi-factor authentication
- Binance is pursuing legal action against the GitHub user who posted the leaked data
In January 2023, portions of Binance’s internal code and data were posted on GitHub without authorization. The leaked data, which had been accessible for months, included infrastructure diagrams detailing Binance’s systems, internal passwords, and technical specifics on how the exchange implements passwords and multi-factor authentication for customer accounts.
The code leak was reported by cybersecurity news outlet 404 Media on January 31st. Their report highlighted that the exposed data provided intimate access to Binance’s internal workings, posing a significant security risk.
Binance moved swiftly, petitioning GitHub to remove the confidential data through a copyright takedown request. In that legal demand, Binance claimed the unauthorized code dump represented “a significant risk” and exposed information that “causes severe financial harm to Binance and user’s confusion/harm.”
However, after the data was scrubbed from GitHub, Binance changed its stance. A spokesperson for the leading cryptocurrency trading platform asserted that the leaked code and data was “outdated” and “would be unusable by any third parties or malicious actors.”
The representative claimed Binance’s security team confirmed the GitHub leak “did not resemble what we currently have in production” and therefore “posed negligible risk” to the exchange or its users.
Binance alleges it pursued the takedown to avoid unnecessary fear over leaked private data. The exchange is also pursuing legal action against the GitHub user who posted its internal code initially.
The news comes as Binance grapples with growing regulatory headaches globally, including agreeing to pay over $4 billion in fines related to anti money laundering violations as part of a plea deal with the US Department of Justice.
While Binance asserts the leaked data posed little risk due to being outdated, the fact that it contained detailed inner workings of Binance’s systems raises concerns. The episode also highlights the potential dangers of information security incidents at a time when cryptocurrency platforms are increasingly becoming hacking targets.