Major Crypto Exchange Leak Exposes User Wallets, Passwords

The unprotected database revealed millions of records ranging from two-factor authentication codes and hashed passwords to wallet addresses. What’s worse, the data has been accessible for months.

Protecting asset-related data seems like a no-brainer. However, the Cybernews research team discovered an unprotected MongoDB database leaking massive amounts of sensitive information. The dataset, attributed to crypto trading platform NCX, revealed several data collections that, when combined, reveal over five million records.

“NCX claims to offer secure, fast, and transparent crypto trading services. However, this leak casts serious doubt on those claims, especially regarding user privacy and operational security,” the team explained.

We have reached out to the company for comment and will update the article once we receive a reply.

What NCX data was exposed?

Many businesses utilize MongoDB to handle large swaths of unstructured data. However, NCX appears to be plagued with a common issue: databases are left unprotected without authentication, often due to human error.

According to the team, the NCX data leak exposed over 1GB of data from users worldwide. The exposed details include numerous sensitive data points that could be exploited for nefarious purposes. The exposed information includes:

• Full names, usernames, and dates of birth

• Email addresses

• Links to user-uploaded identity documents (KYC)

• Two-factor authentication (TFA) codes and URLs

• Internal API keys

• IP addresses

• Hashed passwords

• Profile photo URLs

• Secret keys (obfuscated or encoded)

• Wallet addresses and related blockchain transaction info

• Deposit/withdrawal history, currency types, block statuses

• Admin support logs and Help Center communications

“This leak exposes NCX users to multiple threat vectors, including identity theft, account takeovers, and crypto wallet exploitation. The presence of KYC documents and internal keys points to a critical infrastructure security failure,” our team explained.

Researchers noted that the data was stored in eight different collections. The largest one had over two million records. Meanwhile, three collections with the fewest records contained over 170K records each.

Since all three likely revealed user wallet, user address, and airdrop information, it is highly likely that this corresponds to the number of active NCX users. Records in all collections appear to be up to date, indicating active use of the system.

The Cybernews team responsibly disclosed the issue to the company immediately after discovering the leaky database. However, the company did not react to multiple attempts to reach out.

What should NCX’s users do?

To fix the issue, researchers advise NCX to:

• Immediately take the MongoDB instance offline or restrict access via firewall

• Require credentialed access and enable encryption in transit

• Rotate exposed 2FA keys and invalidate secret URLs

• Notify affected users and regulatory bodies

• Perform a full forensic audit to determine the scope of compromise

• Migrate from exposed endpoints to secure cloud-managed solutions with access control

Meanwhile, as long as NCX’s user data remains open to the public, users could deposit their funds on a different platform. One way to prevent data from continuing to leak online is deleting their account. However, for that to be true, the exchanges’ configurations should be set up in a way, which automatically deletes data after users delete their accounts.

“Users should be aware that their private data, including KYC documents, such as copies of IDs, have been exposed. Therefore, they should employ extra caution regarding any communications about crypto or investments, and potentially sign up for a credit monitoring service to help detect some forms of identity theft,” the team explained.