Pages:
Author

Topic: Coinmarketcap hack leaked 3.1 million emails! (Read 690 times)

legendary
Activity: 2002
Merit: 2534
The Alliance Of Bitcointalk Translators - ENG>SPA
November 03, 2021, 02:47:26 PM
#62
because of the hack that happened on October 12 that leaked 3,117,548 email addresses!

Damn! A bit late but it is better late than never.

Thanks for the warning dkbit98. Unlike what happens with most crypto- services and products, there is a big consensus among us to use CMC occasionally and, since they are now part of Binance, even a little percentage of that users logging in there supposes a huge exposure. I can't remember now whether I signed in there ever, but I will have to check it up because I don't want to be one of the 3 million addresses without knowing it.

legendary
Activity: 2268
Merit: 18771
The above fact pattern does not say with certainty that the images came from binance/one of their vendors. It also opens the possibility the "hacker" obtained the images via means unrelated to binance.
All the selfies (which you can find examples of online if you want to go looking for them) were of users holding up pieces of paper with "Binance" written on them alongside their ID. There is no reason that any company other than Binance or their third party partners would have thousands of such pictures. And regardless, Binance admitted the data came from a third party that they sent users' KYC data to, they contacted all the users in questions to tell them about the hack, and they gave them all free lifetime VIP memberships. So yes, it was Binance's fault despite their initial statement that nothing had been "obtained from Binance".

This statement in this case about nothing being leaked from "their own servers" is exactly the same. Binance are neither honest nor trustworthy when it comes to security of data.

copper member
Activity: 2996
Merit: 2374
~
If you read the comment chain you can see I was talking about "haveibeenpwned" website and their database. Users don't log into that site, they just search their email to see if it were leaked (pawned). And the discussion was about haveibeenpwned database being "pawned" itself which I said it could be prevented by only storing and requiring hashes to search.
haveibeenpwned gets their information from various leaks of data. When haveibeenpwned says that a password was leaked, it means they were able to find a leak that contains a password. If haveibeenpwned is able to locate a list of stolen information, it means that someone else can also locate the same information if they know where to look. Someone hacking the haveibeenpwned database would largely be pointless because the information is already public.


CMC's obligations regarding their customers' data can be found in their privacy policy. If someone does not like the terms of their privacy policy, they can ask CMC to change the term they do not like, however until and unless CMC changes the policy, the policy as currently as written lays out their obligations.

I am also not sure there is sufficient evidence to suggest that the leaked images came from Binance or any of their vendors. Binance says that it adds a digital watermark to images it receives for KYC purposes, and the leaked images do not contain that watermark. Binance also said at the time that many of the images in question do not match the images they received from any customer.

I would also note that the alleged hacker was asking for over a million dollars from binance before releasing the images, and would not tell binance how they were able to allegedly steal the images from their systems.

The above fact pattern does not say with certainty that the images came from binance/one of their vendors. It also opens the possibility the "hacker" obtained the images via means unrelated to binance.
legendary
Activity: 3472
Merit: 10611
~
If you read the comment chain you can see I was talking about "haveibeenpwned" website and their database. Users don't log into that site, they just search their email to see if it were leaked (pawned). And the discussion was about haveibeenpwned database being "pawned" itself which I said it could be prevented by only storing and requiring hashes to search.
member
Activity: 1191
Merit: 78
The issue of the coinmarketcap leaked email explain the reason why I am getting some weird mail lately below is the screenshot but I don't know if you guys notice that almost every platform owned by Cz is having a problem these days one way or the other cause binance.com was said to have large backlog issue today.
legendary
Activity: 2618
Merit: 1181
There's no really safe on the internet and everything is vulnerable to hacking, it's a good thing they announced that they didn't have been hacked.
A little bit worried because I used my email here in Bitcointalk that linked to Coinmarketcap and I think it needs to change.
If you really care about security while on the internet then make sure you sign up with a different email on each platform you want to visit. I use different emails for forum account, trading account and other platform account. This is just a suggestion, but it might be useful.

The failure of a platform in terms of securing the database is actually not our fault, they actually have to be responsible for their customer data but users are advised to consider all the risks that arise on the internet and one of them is hacking. So self-safe, account-safe, asset-safe because of that is very important.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
Agree with every o_e_l_e_o said.
our data is far more valuable to these companies than the fees you are paying them.
This is the era of information. Random information will not make any sense but the agency and company knows how to analyse the same information and monetize it, they are .dominating the industry. Facebook understood it, Google realized it even before creation of Facebook. I think google started knowing that they need to collect the data to build their project where Facebook started just to have fun but once they became big and needed funding then they realized the data they had were their assets.

Anyway, I think we are moving to off-topic.
Let's see how it effects to CMC users and the community. I already received two emails from random source. Usually I just delete them.
hero member
Activity: 2758
Merit: 705
Dimon69
Majority email addresses will of airdrop participants. They are smart people, most of them would have created an email address just for airdrops. They already are getting tons of spam emails so they will be least bothered. Furthermore it is better to check coingecko than CMC.

Yeah majority but there's a 100k maybe more that's a crypto newbie that using there own email to get an official update on coinmarketcap. I have a friend that using personal email on coinmarketcap because he is wants to received on news from it as soon as possible so if he preferred his personal email that he always check.

Good thing is I already brief him about all the dangers on using personal and what he will expect.
jr. member
Activity: 31
Merit: 1
There are many exchanges that share your data with many other exchanges and networks. This is not a new thing, it has been happening, of course, in front of your eyes or behind the eyes. The emails that come from many other companies come because you must have registered somewhere, they have sold your data to some other project. So that they can promote their project. In today's time there is no such thing as privacy. Facebook has so much of your data that it can force you to think whatever they want. In the long run, big companies think that they will rule the world. Front will be the government and behind the decision makers will be the people of these companies. Everywhere they will make laws that suit them so that no one could challenge them even legally.
legendary
Activity: 2268
Merit: 18771
CZ will be no difference than Google and Facebook owners.
Pretty much. Centralized exchanges have been rapidly discovering that while they can obviously make some nice profits from charging ridiculous trading and withdrawal fees (which I still can't understand why people seem happy to put up with), the real money is to be made with information and data. It's the same reason as why Facebook sell things like the Oculus at a loss and Google practically give away Google Home devices. They don't care about making profit with these things; they care about having them in your home, care about you using them and linking up all your accounts, and care about collecting your data.

Coinbase went as far as to create their own blockchain analysis department, which they contract out to anyone who will pay, including multi-million dollar contracts to various governments and their agencies, including the CIA, FBI, DEA, and IRS. Binance bought out CMC to gather data on all its users, and have inserted their code and software all over Brave Browser to track its users too. Your data is far more valuable to these companies than the fees you are paying them.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
What else is owned by CZ?
Trust wallet. Also they have so much influence over it and have embedded so many things in to it, that Brave Browser is essentially owned by them too.
So big names in the crypto eventually are selling their business to CZ and eventually some day we will see CZ is controlling the industry. CZ will be no difference than Google and Facebook owners.

I recommend that you familiarize yourself with services similar in functionality:

- CoinGecko
- Cryptorank
This is a good idea. Diversification is very important. If you let one person to own everything in the market then eventually you are allowing monopoly business model. And monopoly does not bring good things in the industry.
hero member
Activity: 2156
Merit: 803
Top Crypto Casino
Majority email addresses will of airdrop participants. They are smart people, most of them would have created an email address just for airdrops. They already are getting tons of spam emails so they will be least bothered. Furthermore it is better to check coingecko than CMC.
legendary
Activity: 2268
Merit: 18771
If they have not shared the entire list of emails with any one third party vendor, they can reasonably rule out the data coming from any vendor.
So come out and say that, instead of this deliberately vague "no leak from our own servers" nonsense. This is the same kind of nonsense they pulled during the KYC leak Binance experienced back in 2019. They called it a "false leak", and their statement said "At the present time, no evidence has been supplied that indicates any KYC images have been obtained from Binance". (Emphasis mine). Just as with this hack, that statement is true but deliberately worded to obfuscate things - data was not obtained from Binance, just has it has not been obtained from CMC. And as we all know with the Binance leak, it was some sketchy third party that they sent the data to who ended up being the culprit. And just as they were responsible for that KYC leak from a third party, they are responsible for this email leak from a third party.

I also don’t know that CMC would have the ability to force their vendors to be subject to intrusive audits by another third party, when they never even had access to the data that was leaked.
Binance have a responsibility to protect your data, and that includes checking the security practices of the third parties they share your data with. If a third party is unwilling to demonstrate their security is up to scratch, then why the hell are Binance sending your data to them? This is just negligent.
hero member
Activity: 2520
Merit: 952
May be its only me, but I wouldn't stop using my email and move all that stuff to another just because it's prone to spam/phishing now.
copper member
Activity: 2996
Merit: 2374
I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors.
Sure they do. Just hire an independent third party to go and audit everyone that they share your data with. I'm sure it would be expensive since they probably share your data with dozens of third parties, but it's not impossible by any means.
If they have not shared the entire list of emails with any one third party vendor, they can reasonably rule out the data coming from any vendor. I also don’t know that CMC would have the ability to force their vendors to be subject to intrusive audits by another third party, when they never even had access to the data that was leaked.

CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account.
And I don't buy that for a second. If you are to believe that story, then you believe some tried millions of username/password combinations (many more than the 3.1 million which were found to be valid) to break in to CMC accounts... for what? To see what coins everyone was watching? But they didn't break in to any exchange accounts, or web wallets, or casinos, or anything with value? Or even the email addresses themselves?
I presume the list was either sold by someone who did this, or that person(s) tried to sell it. Or they could have been trying to get credibility/reputation of some sort. They would have obviously automated the testing, so it’s not like there was one person trying millions of email/PW combinations.

I noted elsewhere that it is unusual for only emails to leak in a data breach.



I don’t think anyone has alleged that passwords were leaked from CMC. I think it would be very strange for someone to steal passwords, publish that email addresses were leaked then publish both emails and passwords without any explanation.

It is a best practice to not disclose specific security measures you are taking so adversaries can’t easily see holes in your security. But I would not be surprised if CMC at the very least forced users who were affected to reset their password via email the next time they logged in to CMC, if they didn’t proactively email those affected suggesting them to change their passwords.

I would also assume that many of the emails in question are receiving a decent amount of malicious emails from people trying to take advantage of the fact the emails in question are associated with someone involved in crypto. The uptick in these types of emails might get people to change their passwords.   
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
I’ve been searching around, and found the alleged 3,1 M Database on a given place where it was loaded as a freebie on the 13/10/2021. It includes just emails as we knew. Now the weird thing is that someone also uploaded a file on the 24/10/2021 with 2,3 M pairs of alleged login/passords from CMC, also for free. Not much explanation is provided alongside.

I took a brief ethical look, and found that this latter file with 2,3 M records really has only 745 K different emails. The files has many entries with multiples passwords per email, thus only rendering 745 K distinct emails. I crossed it with the 3,1 M record database, and 740 K emails coincided. I tried a couple of dozen random email/pwd (of those with unique entries in the pwd file), and only one logged in. The others were either not CMC emails, or had already changed their email.

Now this leave me a bit more puzzled. There is no explanation on how and when this login/pwd file was compiled. It could be a prior breach, or a compilation of crypto related credentials, branded as CMC related by someone at some point for some reason.

The fact that many emails have multiple passwords can only be justified by it being a compilation, or derived from some log or historical archieve of password changes. Nevertheless, the low successful login ratio from my test, seems to point to it been non-current or non-specific to CMC. I cannot really tell, and Tor login attempts are painstaking long to try out.

The fact that the emails largely do coincide with the CMC 3.1 M file, albeit only for 740K of the records, points to a relation between the two files, buy I still cannot attest to whether they are legit CMC in origin, or a compilation.

Having said that, CMC can easily know what’s what, and they can and should be more transparent about the nature of the 3,1M file, and more specifically at this stage, the degree of coincidence with the CMC database. Not undisclosing this seems of no real benefit rather than to speculation itself.
legendary
Activity: 2268
Merit: 18771
I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors.
Sure they do. Just hire an independent third party to go and audit everyone that they share your data with. I'm sure it would be expensive since they probably share your data with dozens of third parties, but it's not impossible by any means.

CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account.
And I don't buy that for a second. If you are to believe that story, then you believe some tried millions of username/password combinations (many more than the 3.1 million which were found to be valid) to break in to CMC accounts... for what? To see what coins everyone was watching? But they didn't break in to any exchange accounts, or web wallets, or casinos, or anything with value? Or even the email addresses themselves?
copper member
Activity: 2996
Merit: 2374
Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors.
That doesn't make them any less responsible. It is their responsibility to vet the parties they deal with and to ensure their security is up to scratch, and it is their responsibility to investigate if one of them has leaked data. If you give me $1000 to keep safe for you, and I give it to a drug addict who then blows it all on drugs, I can't shrug my shoulders and say "Well, I didn't lose it."

It is too much of a coincidence that a database of 3.1 million emails matches exactly with 3.1 million CMC accounts. If they didn't leak it, then someone they gave it to did.
See the blog post that is linked in the OP, and my first post in this thread.

I was not defending CMC for leaking the emails via their vendor. I was responding to DdmrDdmr that he was suggesting that CMC's statement implies the leak could have come from one of their vendors. I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors.

CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account.

When bitcointalk was hacked, usernames, email addresses and password hashes were leaked. If someone were to use the leaked information to try to login to coinbase accounts that use the same email address and password combination, and subsequently publish a list of email addresses associated with coinbase accounts, it would not mean that coinbase was hacked. Someone could have used the leaked information from the forum, and leaked information from other bitcoin-related websites.
legendary
Activity: 2268
Merit: 18771
Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors.
That doesn't make them any less responsible. It is their responsibility to vet the parties they deal with and to ensure their security is up to scratch, and it is their responsibility to investigate if one of them has leaked data. If you give me $1000 to keep safe for you, and I give it to a drug addict who then blows it all on drugs, I can't shrug my shoulders and say "Well, I didn't lose it."

It is too much of a coincidence that a database of 3.1 million emails matches exactly with 3.1 million CMC accounts. If they didn't leak it, then someone they gave it to did.

What else is owned by CZ?
Trust wallet. Also they have so much influence over it and have embedded so many things in to it, that Brave Browser is essentially owned by them too.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
Consider that email address you used for CMC account is now compromised, don't be surprised if you start to receive some spam and scam emails, so you should not use it anymore.
This gives me the answer of an old email I used, I received an email from a startup to look into their project and become first-hand investor LOL
PS: I did not know CMC is owned by Binance. CZ is doing everything to monopoly the crypto niche. Not good.

Another day, another centralized service leaking user information across the internet. Owned by Binance, have no idea how their database was accessed, and unable to confirm or deny if other information was also accessed. Really fills you with confidence! Roll Eyes
What else is owned by CZ? Get ready to get that hacked too 😉

Fun aside, it's the risk we always take when we deal with a centralized database.
Pages:
Jump to: