A collection of sensitive material belonging to crypto exchange Binance, including code and internal passwords, was reportedly leaked on GitHub—where it was publicly available for months.
According to 404 Media, the material, posted by an account called “Termf,” included code, infrastructure diagrams, internal passwords, and other technical information. Some code available on the site is reportedly related to Binance’s implementation of security measures, including passwords and multi-factor authentication (MFA).
Other material apparently included passwords for systems marked “prod,” which were likely to have been used as part of the live site rather than development or demonstration environments.
The data was removed from GitHub following a copyright takedown request by Binance last week, confirming that the data contained code belonging to the exchange. The material was available to view since at least January 5, when 404 Media contacted the exchange regarding the leaks.
In its copyright takedown request, Binance said the leak consisted of internal code that “poses significant risk to Binance. and causes severe financial harm to Binance and user’s confusion/harm.”
In a statement, a spokesperson for Binance said that it was aware of the leak and that its security team had “assessed this claim and confirmed that it does not resemble what we currently have in production.” They added that “users should rest assured that their data and assets remain safe on our platform.” Binance further claimed that the leaked information “posed negligible risk to the security of our users, their assets, or our platform.”
Decrypt has reached out to Binance and will update this story should the exchange respond.
Edited by Ryan Ozawa.