The Moon Technologies saga continues to rumble on with an email surfacing on Reddit allegedly from Moon CEO Kenneth Kruger to Moon account holders.
Coin Rivet reported yesterday that co-founder and former CTO of Moon Technologies Alexander Ang has left the company due to disagreements over user privacy and allegedly contentious terms and conditions.
Since leaving, Ang has made several accusations on Reddit, which have all been vehemently denied by Kruger.
Coin Rivet has reached out to Mr Kruger for a statement. We are yet to confirm whether the email was actually sent by Kruger.
The alleged email
The alleged email reads: “Hi, I’m Ken, the founder and CEO of Moon. I am reaching out to let you know that your Moon account may be affected by recent events.
“A former employee had access to Coinbase credentials stored on our servers. We have no indication that this data has been breached, but we are reaching out to encourage you to revoke your Coinbase API key as a precautionary measure.
“All Coinbase credentials on Moon are currently encrypted. Again, we have no indication that a breach has occurred, but encourage you to revoke the API key that was associated with our system as a precautionary measure.”
Alexander Ang responds
Coin Rivet spoke to Mr Ang, who referred us to a Reddit post of his official statement.
“Kenneth has been sending out emails calling me out for having access trying to put the blame on me,” he writes.
“The truth is I did have access to them. However, I was prevented from creating a system that would have blocked out access to the keys from any of our internal staff.”
He notes how this could be achieved through recursively locking IAM (identity and access management) policies that ensure only users have access to their own keys. From there, “the logic that sent the cryptocurrency from users to Moon would be all on the front end.”
Ang details how this could then have been uploaded to GitHub for the world to see and critique.
“This is the way to get critique for your security infrastructure in the industry – something Kenneth actively rejected,” he adds.
Ang states: “There is absolutely no way in the universe for you to encrypt and then retrieve the same data without any kind of key.
“It was one of the solutions I pondered when I was thinking through how to protect users – by asking them to enter their own password for the API key.”
However, Ang writes he connected his Coinbase account with Moon but was not asked for his key.
He alleges that because of this, “any kind of ‘encryption’ that is being done has to be done with a key owned by the management team. If you have not revoked your keys, your keys are still at risk.
“Even if you secure it with any kind of password, Moon, running the decryption algorithm, still has complete access to the API keys after decryption.”
You can read Ang’s full comment on Reddit.
Coin Rivet will continue providing updates as the story develops.