If you have an account with crypto derivatives exchange BitMEX, there’s never been a better time to update your security preferences.

On Friday at 08:00 UTC, BitMEX alerted its clientele via blog and Twitter that it had accidentally revealed many of its user’s email addresses in the CC: field.

The unfortunate email also opens users up to targeted phishing attacks, as anyone obtaining the email has a portion of what’s needed to access the account login.

BitMEX has now asked customers to add BitMEX’s support email to their contact lists to decrease phishing emails along with adding 2-factor authentication (2FA). The exchange appeared to suggest a bug caused the incident, saying on the company blog: “The error which has caused this has been identified and fixed.”

“We are aware that some of our users have received a general user update email earlier today, which contained the email addresses of other users,” they said on the blog. “Our team have acted immediately to contain the issue and we are taking steps to understand the extent of the impact.”

In a statement to CoinDesk, BitMEX Deputy COO Vivien Khoo said:

Earlier today, the majority of our users received an email containing the email addresses of other users in the ‘to’ field. This was a general email update about upcoming changes to the weighting of our indices. We are deeply sorry for the concern this has caused to our users. The issue was caused by an error in the software used to send emails. As soon as we were made aware of the issue, we immediately prevented further emails from being sent and have since addressed the issue to ensure this does not happen again. BitMEX takes the privacy and security of our users very seriously. We are working around the clock to establish communication with all our users to provide any assistance and to ensure the continued safety of their account. Beyond email addresses, at no point during this issue has any personal data or account information been disclosed.

According to data tweeted by data analytics firm Skew, BitMEX has around 22,000 users daily.

The mishap adds to the woes of the exchange, which is also reportedly being probed by the U.S. Commodity Futures Exchange Commission (CFTC) over whether it has allowed U.S. traders to use its platform. BitMEX geo-blocks multiple countries from participating on its exchange, including the United States, although some users may have jumped the fence by using virtual private networks (VPNs).

One of the largest crypto derivatives markets, known for its leverage rates of up to 100x, BitMEX operates out of Seychelles. Its largest product, the XBT/USD trade pair, had a 24-hour trade volume of $2.8 billion as of press time according to CoinGecko.

BitMEX CEO Arthur Hayes image via CoinDesk archives

———

UPDATE (1, November 18:00 UTC): This story was updated to include a statement to CoinDesk from BitMEX Deputy COO Vivien Khoo.