Change your password: Poloniex cryptocurrency exchange reveals data leak

Updated: Password resets are being forced following a leak of account credentials.

Organized crime in the UK turns to cryptocurrencies for money-laundering schemes Albanian gangs are using fintech. Law enforcement says it needs a new approach to tackle the problem.

The Poloniex cryptocurrency exchange has enforced a password reset for account holders following a data leak across social media. 

A very common form of scam is known as phishing, in which fraudsters will send fraudulent emails while disguising themselves as legitimate companies. These messages are often crafted to lure would-be victims into visiting malicious domains, and in order to prompt them to do so, scammers may claim there has been suspicious activity detected in an account -- and therefore the recipient needs to visit the website and change their password.

Once submitted, these credentials can then be used by fraudsters to hijack accounts, potentially steal data, and in the case of cryptocurrency exchanges, siphon away virtual funds. 

In light of this trend, cryptocurrency holders need to verify password reset emails as legitimate before proceeding -- and an email blasted to Poloniex users last week was recently confirmed as authentic over Twitter. 

See also: These are the worst hacks, cyberattacks, and data breaches of 2019

A Twitter user under the handle @charlysatoshi posted a screenshot of an email they received, purporting to be from Poloniex, warning of the "scam" message. 

The email said that a list of leaked email addresses and passwords had been discovered on the microblogging platform, spreading with the claim that the credentials could be used to access Poloniex accounts. 

"While almost all of the email addresses listed do not belong to Poloniex accounts, we are forcing a password reset on any email addresses that do have an account with us, including yours," the email reads. 

screenshot-2020-01-02-at-10-30-59.png

While the user originally believed the message was a phishing attempt, the cryptocurrency exchange's support team responded on December 30, saying, "This is a real email! Please reset your password for account security."

TechRepublic: Security teams have a challenging and ever-changing role. Here's how a SOC can keep up

On the same day, the cryptocurrency exchange also published a guide for setting up two-factor authentication (2FA) on accounts, which can provide an additional layer of security through a mobile device should basic username and password combinations become compromised. 

The data leak brings to mind November's incident involving BitMEX, a cryptocurrency trading post. An email was sent en masse to users informing them of upcoming changes to indices weighting, but due to human error, the email addresses of other users were included in the "To" field. 

CNET: US Army bans TikTok app from government phones

While the failure to properly mask recipients may not seem like a massive issue, when combined with the fact that many of us reuse passwords and the availability of data dumps online, this may have exposed users to the risk of compromise. BitMEX has also recommended that users secure their accounts with 2FA. 

The BitMEX Twitter account was also accessed by an external individual, but the company says this second problem was "unrelated." 

Update 19.21 GMT: In a blog post on Medium, the cryptocurrency exchange said the leak impacted roughly one percent of its customer base and the data leak did not originate from Poloniex. 

"Our investigation has concluded that approximately 90% of the passwords listed already appear in the haveibeenpwned.com list of exploited passwords," the company added. "Additionally, our security team is in touch with haveibeenpwned.com and has requested that they update their database to include additional missing information we have identified."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0