Until recently, over $18 million in user funds lay in jeopardy as two crypto exchanges inadvertently exposed thousands of user’s private keys and personal data.

According to research from tech outlet, CyberNews, one of the two exchanges identified by analysts—a Swiss outfit known as Lykke—held over $16.5 million in hot wallets within a public database.

After combing the database, analysts uncovered Lykke's API keys, allowing unrestricted access to the exchange's inner workings. Then, they stumbled on a jackpot of around 80,000 private keys laid bare and unsecured. Lykke's “mainnet keys” were also uncovered, which allegedly enabled access to coins staked by the exchange—of which there was $25,000 worth. This means investigators could have fled with millions of dollars in customers' funds, should they have been so inclined.

Lykke wasn't the only exchange in grave breach of due diligence.

Another exchange similarly utilizing an unencrypted public database was Chinese-based marketplace, Hubdex. The so-called "decentralized" exchange not only left API keys on display but full user and KYC data too.

ID card taken by white hat hackers. Image: Cybernews.

To top it all off, analysts discovered over 1 million private keys, once again providing unbridled access to customer funds.

According to the report, only Lykke responded to the white hackers, confirming the unsecured database was theirs and quickly amending the exploit. Despite not being able to reach Hubdex, analysts reported that their exploit has been promptly patched up.

The phrase "not your keys, not your Bitcoin" has never been more applicable.