Topic: Coinmarketcap hack leaked 3.1 million emails! - page 2. (Read 617 times)

Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors.  I would presume they would keep track of information shared with their various vendors, and if the list of leaked email addresses matched what was shared with that vendor, they would be able to blame that vendor. If the list of emails exceeds what they shared with any one vendor, it should be reasonable to say the leak did not come from any of their vendors.

Given that CMC accounts really don't contain much valuable information, it might not be unreasonable to think they are not employing sophisticated detection systems to try to detect unauthorized logins.  I would presume that someone logging into 3.1 million accounts would not do so from a single IP address, and a project of this scale would likely have been done over time, and using many IP addresses.

CMC claims to "reach" hundreds of millions of users every year, so 3.1 million email addresses would likely be a small subset of all the email addresses in their database.

They also probably want to be careful to not acknowledge the email list is valid. Doing so would implicitly acknowledge that any email address on the list is an email address associated with a CMC account.

Nevertheless, 3.1M leaked records seems like a massive figure to be produced by using the hypothesis they provide, especially if passwords were involved to ensure valid logins (which they could validate probably through their logs and searching for patters within the login times and attempts).

At some point, they did put special care in the wording to state that:
(see: https://twitter.com/CoinMarketCap/status/1451813671961833473)

The "our own servers" seems like a deliberate careful choice of words, to cast a shadow on any third-party provider that has access to the information for, let’s say, marketing purposes (see https://coinmarketcap.com/privacy/). This would also play along with there being no passwords in the leak.

This is not a good solution that many companies will accept. Most websites want the ability to send marketing emails and hashing the email address in their database will prevent that. Websites may also want to track email domains to watch for spammy domains and blacklist them accordingly.

Further, it would be better to have the information hashed by the server rather than in the browser. This way the server can enforce any restrictions on email addresses. If the hashing is done in the browser, someone could calculate the hash of “foo@bar” (no dot com), and send this hash to the server. The website would have no way of knowing the user is using an invalid email. Similarly, if the password is sent via hashed format, the server would have no way of knowing if it meets complexity requirements. The server should receive the password in plaintext format, perform regex on it to confirm complexity requirements, then should be hashed prior to being sent to the database.

Most importantly, hashing information in the browser means an attacker can trivially login using the hashes of the email and password. If the hashed email addresses and passwords leak, a hacker could send the hashed email and password to the server and access the account. This would be the same as storing passwords in plain text.

---

If you read the blog post in the OP, you will see that CMC is saying they don’t believe the leaked information came from CMC. They are saying they believe that someone used a list of email/password combinations leaked from other sites, and used these combinations to try to login. When logins were successful, the hacker knew that the email was associated with an account at CMC.

This is why I only browse through most of this web market platforms. I hardly make any registration despite the airdrops and giveaway used to entice new users to gain traffic.
Now that users information has been leaked, that's a breach of privacy but what can you do about it, just move on and don't make the same mistakes of using your main email for registration.

I have setup hotmail account times without number without including my phone number, all I do is I used VPN, later after two weeks it will demand for phone number which will be mandatory after some time gone but anytime I want to login, but I think it usually take two weeks but I have forgotten. Proton mail will request for email, but it has been long I used proton mail, but it is still on of my favorite.

Maybe I misunderstood your post, but ProtonMail requires a phone number or a secondary email account when you create a new email address. They will send you a one-time code that you need to copy and paste before the new account is set up. You will have to send this code to an alternative email or via SMS. They will also ask you to enter a second email or phone number in case you need to recover the password for your ProtonMail account. This step can be skipped though.

If they indeed store it like this, there is still a risk of compromise. Even leaking the email addresses alone is a risk since they will be spammed.

One easy way of mitigating that would be to store hashes of everything. For example the database wants to store [email protected] but instead of storing the plaintext it hashes it and stores "0c7e6a405862e402eb76a70f8a26fc732d07c32931e9fae9ab1582911d2e8a3b". When user searches that string, again they hash it in browser and send the hash to server which will be searched inside db. This way if the db is leaked all the hacker gets is useless hashes.

This things happens all the time, I might be in there.

OMG. spam and rubbish mails will be flying now. many accounts will be hacked but there is always a solution. anybody with an account on coinmarketcap should avoid opening emails with attachments. users should avoid opening or downloading emails with bitcoin attachments. they are likely virus and will attack your system and steal your details.

Oh yeah, I understand now. It's disposable since you could just get rid of it. I will try to take advantage of my subscription with iOS and try the "Hide My Email" feature thing that they are talking about. They automatically assign random numbers words with it, I guess it would be a great start.

---

I think the only thing that they could do is just spam those email address that they are going to get, right? So if I got it correctly, there's nothing to "calculate" or engineer to crack passwords or stuff?

That db would not be useful because it's just a list of compromised email addresses, and a separate list of compromised passwords, without any links in between. The site names are not written into the database AFAIK.

Correct, but those are only for paid accounts. A paid account only costs 0.00076 BTC for a year though, and that gives you 5 different addresses.

Sure you will, but at least you can have one "disposable" email which you use to sign up for things like CoinMarketCap where you know just to ignore all the emails it receives, and have a separate "important" email which you use for sensitive financial accounts.

You could receive phishing emails inviting you to enter your seed phrase to claim an airdrop or altcoin giveaway. You could receive fake emails from exchanges, services, and other platforms, containing links to fake websites which will prompt you for your username and password. You could receive emails with attached clipboard malware, keyloggers, or other malware which they will try to make you download. You could receive emails threatening you with release of some private information unless you pay a ransom. The possibilities are endless, but they all still require you to mess up to fall victim to them.

Doesn't even need to be an employee of Binance or CMC. If you look at their Privacy Policy, they share your information with any number of third parties "to contact you about our programs, products, features or services" and "to tailor content, advertisements, and offers for you". When you make an account at CMC, this is what you sign up for - Binance to share you information with any third parties which will pay them.

I don't really trust anything they say, now even CZ had to write something on twitter and we all remember how Binance customer data got leaked and they first denied it.

It's better to use separate temp and disposable email accounts when registering for Coinmarketcap and other similar websites.
You can also check if your email has been pwned and I would suggest using other email for Bitcointalk forum.

It's enough to have one pissed ex employee to do that and it's true we had similar examples in past.
They don't even have to sell anything, it's enough that they don't care about security and safety of their data, so they indirectly allow leaks to happen.

My advice, anticipate now by moving all assets stored on the Binance exchange. email data leak CMC is warning 1 and warning 2 if you ignore it.

as far as Im concerned they fetch the email data on the bounty spreadsheet for individual airdrop promotions only. what's more dangerous is the email you registered on the binance exchange.

I have a coinmarketcap account also. Email registered is completely different from those I use for exchanges and etc. I havent started receiving spam emails. But, this email has been used for several other services. Should I really be warned of something? What kind of harm can I get, despite receiving spam? We have lots of bounty spreadsheets with emails, telegram account names, forum names. With simple 2+2 logic lots of things can be linked due that. This is more dangerous than just an email data base leak. Isnt it ?

Uh, damn, I just saw this thread, I have an account on Coinmarketcap, yes I understand now lately a lot of messages are not important aka spam, yesterday I deleted more 10 unsubstantiated incoming messages.

I was really busy without seeing this warning, now i changed everything gmail and password too, thanks again to: @dkbit98 for creating this thread.

it's a disaster for those who didn't see this thread.

I saw on their site that they have aliases, I think that's one way to have multiple accounts and use it for different services (social media, crypto stuff, banking) and prevent an actual compromise of what your email is but if they still send you a spam email, won't you still receive it right?

Do you think it's advisable to use aliasing? With iOS devices, if you have the iCloud+, you have the option to hide your email that forwards it to your main email. Is it safe with that as well?

Emails can be hacked and compromised. All services should allow you to change your registered email address for safety reasons.

I like ProtonMail, and they certainly have a good reputation for privacy, but you should be aware of under what situations they may be forced to break some of that privacy, since there was a recent case which they were forced to comply with Swiss law and hand over IP addresses (but all actual email contents remained encrypted and inaccessible). You'll find other privacy conscious email providers here:
https://www.privacytools.io/#email
https://prxbx.com/email/

ProtonMail Terms and Conditions limit you to a single free account, so if you want more than one account, you'll need to pay for it. I prefer to use different providers though - if I have an email for personal stuff, an email for banking, an email for social media, and an email for crypto, all with the same provider and I consistently access them all simultaneously or in succession from the same IP address, then it becomes fairly obvious to that provider that they are linked.

I just assumed that you cannot change the email on some services but not explored all. My email being used in some bank accounts was compromised a long time ago, and I'm thinking of changing it. I kept on receiving those phishing and scam emails with all the google docs and stuff and it is irritating.

I'm actually planning to do it. How do you deal with multiple emails? Like is it applicable with proton mail? Proton email is a good email service right?

Exactly. The sites which they own rank themselves as number one. What a surprise! Which exchange is the number one for privacy? Not Binance. What about security of your coins? Also not Binance. Security of your data? Definitely not Binance.

All email accounts are replaceable. What service have you signed up for which doesn't let you replace your email account?

If you have an email account which you really feel is not replaceable, then don't use it for anything else except the bare minimum you must use it for and don't share it with anyone or any service unnecessarily in order to keep it clean and spam-free. Create additional email addresses for everything else.