After the Huobi crypto exchange (finally) fixed a massive vulnerability, researcher Aaron Phillips published a blog post explaining what he had found. According to Phillips, two years ago, the exchange accidentally published a file containing Amazon Web Services (AWS) credentials, which could have allowed a bad actor to modify content on their websites and in their CDN, distribute malicious versions of their Android app, access user data and "whale reports" on high-value users, access OTC trade records and user data for OTC traders, and "carry out the largest crypto theft in history". "I had full control over data from almost every aspect of Huobi's business," wrote Phillips.
According to Phillips, it took months before he was able to get in touch with Huobi and convince them to act on the leak. Phillips first notified Huobi of the leak in June 2022, and after repeated efforts to contact the company, the credentials were only revoked in June 2023.
Huobi has tried to downplay the hack, first stating that the user data leak was "on a small scale (4,960 individuals)" and "does not involve sensitive information and does not affect user accounts and fund security". They also claimed the leaked OTC data was test data. "The log shows that only [Phillips] has downloaded, and [Phillips] has also stated that he has deleted. Therefore no leakage is actually caused," they wrote.
According to CoinGecko, Huobi is the seventeenth-largest cryptocurrency exchange by volume.