Topic: Coinmarketcap hack leaked 3.1 million emails! (Read 681 times)

I’ve been searching around, and found the alleged 3,1 M Database on a given place where it was loaded as a freebie on the 13/10/2021. It includes just emails as we knew. Now the weird thing is that someone also uploaded a file on the 24/10/2021 with 2,3 M pairs of alleged login/passords from CMC, also for free. Not much explanation is provided alongside.

I took a brief ethical look, and found that this latter file with 2,3 M records really has only 745 K different emails. The files has many entries with multiples passwords per email, thus only rendering 745 K distinct emails. I crossed it with the 3,1 M record database, and 740 K emails coincided. I tried a couple of dozen random email/pwd (of those with unique entries in the pwd file), and only one logged in. The others were either not CMC emails, or had already changed their email.

Now this leave me a bit more puzzled. There is no explanation on how and when this login/pwd file was compiled. It could be a prior breach, or a compilation of crypto related credentials, branded as CMC related by someone at some point for some reason.

The fact that many emails have multiple passwords can only be justified by it being a compilation, or derived from some log or historical archieve of password changes. Nevertheless, the low successful login ratio from my test, seems to point to it been non-current or non-specific to CMC. I cannot really tell, and Tor login attempts are painstaking long to try out.

The fact that the emails largely do coincide with the CMC 3.1 M file, albeit only for 740K of the records, points to a relation between the two files, buy I still cannot attest to whether they are legit CMC in origin, or a compilation.

Having said that, CMC can easily know what’s what, and they can and should be more transparent about the nature of the 3,1M file, and more specifically at this stage, the degree of coincidence with the CMC database. Not undisclosing this seems of no real benefit rather than to speculation itself.

Sure they do. Just hire an independent third party to go and audit everyone that they share your data with. I'm sure it would be expensive since they probably share your data with dozens of third parties, but it's not impossible by any means.

And I don't buy that for a second. If you are to believe that story, then you believe some tried millions of username/password combinations (many more than the 3.1 million which were found to be valid) to break in to CMC accounts... for what? To see what coins everyone was watching? But they didn't break in to any exchange accounts, or web wallets, or casinos, or anything with value? Or even the email addresses themselves?

See the blog post that is linked in the OP, and my first post in this thread.

I was not defending CMC for leaking the emails via their vendor. I was responding to DdmrDdmr that he was suggesting that CMC's statement implies the leak could have come from one of their vendors. I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors.

CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account.

When bitcointalk was hacked, usernames, email addresses and password hashes were leaked. If someone were to use the leaked information to try to login to coinbase accounts that use the same email address and password combination, and subsequently publish a list of email addresses associated with coinbase accounts, it would not mean that coinbase was hacked. Someone could have used the leaked information from the forum, and leaked information from other bitcoin-related websites.

That doesn't make them any less responsible. It is their responsibility to vet the parties they deal with and to ensure their security is up to scratch, and it is their responsibility to investigate if one of them has leaked data. If you give me $1000 to keep safe for you, and I give it to a drug addict who then blows it all on drugs, I can't shrug my shoulders and say "Well, I didn't lose it."

It is too much of a coincidence that a database of 3.1 million emails matches exactly with 3.1 million CMC accounts. If they didn't leak it, then someone they gave it to did.

Trust wallet. Also they have so much influence over it and have embedded so many things in to it, that Brave Browser is essentially owned by them too.

This gives me the answer of an old email I used, I received an email from a startup to look into their project and become first-hand investor LOL
PS: I did not know CMC is owned by Binance. CZ is doing everything to monopoly the crypto niche. Not good.

What else is owned by CZ? Get ready to get that hacked too 😉

Fun aside, it's the risk we always take when we deal with a centralized database.