Topic: Coinmarketcap hack leaked 3.1 million emails! (Read 701 times)

I’ve been searching around, and found the alleged 3,1 M Database on a given place where it was loaded as a freebie on the 13/10/2021. It includes just emails as we knew. Now the weird thing is that someone also uploaded a file on the 24/10/2021 with 2,3 M pairs of alleged login/passords from CMC, also for free. Not much explanation is provided alongside.

I took a brief ethical look, and found that this latter file with 2,3 M records really has only 745 K different emails. The files has many entries with multiples passwords per email, thus only rendering 745 K distinct emails. I crossed it with the 3,1 M record database, and 740 K emails coincided. I tried a couple of dozen random email/pwd (of those with unique entries in the pwd file), and only one logged in. The others were either not CMC emails, or had already changed their email.

Now this leave me a bit more puzzled. There is no explanation on how and when this login/pwd file was compiled. It could be a prior breach, or a compilation of crypto related credentials, branded as CMC related by someone at some point for some reason.

The fact that many emails have multiple passwords can only be justified by it being a compilation, or derived from some log or historical archieve of password changes. Nevertheless, the low successful login ratio from my test, seems to point to it been non-current or non-specific to CMC. I cannot really tell, and Tor login attempts are painstaking long to try out.

The fact that the emails largely do coincide with the CMC 3.1 M file, albeit only for 740K of the records, points to a relation between the two files, buy I still cannot attest to whether they are legit CMC in origin, or a compilation.

Having said that, CMC can easily know what’s what, and they can and should be more transparent about the nature of the 3,1M file, and more specifically at this stage, the degree of coincidence with the CMC database. Not undisclosing this seems of no real benefit rather than to speculation itself.

Sure they do. Just hire an independent third party to go and audit everyone that they share your data with. I'm sure it would be expensive since they probably share your data with dozens of third parties, but it's not impossible by any means.

And I don't buy that for a second. If you are to believe that story, then you believe some tried millions of username/password combinations (many more than the 3.1 million which were found to be valid) to break in to CMC accounts... for what? To see what coins everyone was watching? But they didn't break in to any exchange accounts, or web wallets, or casinos, or anything with value? Or even the email addresses themselves?

See the blog post that is linked in the OP, and my first post in this thread.

I was not defending CMC for leaking the emails via their vendor. I was responding to DdmrDdmr that he was suggesting that CMC's statement implies the leak could have come from one of their vendors. I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors.

CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account.

When bitcointalk was hacked, usernames, email addresses and password hashes were leaked. If someone were to use the leaked information to try to login to coinbase accounts that use the same email address and password combination, and subsequently publish a list of email addresses associated with coinbase accounts, it would not mean that coinbase was hacked. Someone could have used the leaked information from the forum, and leaked information from other bitcoin-related websites.

That doesn't make them any less responsible. It is their responsibility to vet the parties they deal with and to ensure their security is up to scratch, and it is their responsibility to investigate if one of them has leaked data. If you give me $1000 to keep safe for you, and I give it to a drug addict who then blows it all on drugs, I can't shrug my shoulders and say "Well, I didn't lose it."

It is too much of a coincidence that a database of 3.1 million emails matches exactly with 3.1 million CMC accounts. If they didn't leak it, then someone they gave it to did.

Trust wallet. Also they have so much influence over it and have embedded so many things in to it, that Brave Browser is essentially owned by them too.

This gives me the answer of an old email I used, I received an email from a startup to look into their project and become first-hand investor LOL
PS: I did not know CMC is owned by Binance. CZ is doing everything to monopoly the crypto niche. Not good.

What else is owned by CZ? Get ready to get that hacked too 😉

Fun aside, it's the risk we always take when we deal with a centralized database.

Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors.  I would presume they would keep track of information shared with their various vendors, and if the list of leaked email addresses matched what was shared with that vendor, they would be able to blame that vendor. If the list of emails exceeds what they shared with any one vendor, it should be reasonable to say the leak did not come from any of their vendors.

Given that CMC accounts really don't contain much valuable information, it might not be unreasonable to think they are not employing sophisticated detection systems to try to detect unauthorized logins.  I would presume that someone logging into 3.1 million accounts would not do so from a single IP address, and a project of this scale would likely have been done over time, and using many IP addresses.

CMC claims to "reach" hundreds of millions of users every year, so 3.1 million email addresses would likely be a small subset of all the email addresses in their database.

They also probably want to be careful to not acknowledge the email list is valid. Doing so would implicitly acknowledge that any email address on the list is an email address associated with a CMC account.

Nevertheless, 3.1M leaked records seems like a massive figure to be produced by using the hypothesis they provide, especially if passwords were involved to ensure valid logins (which they could validate probably through their logs and searching for patters within the login times and attempts).

At some point, they did put special care in the wording to state that:
(see: https://twitter.com/CoinMarketCap/status/1451813671961833473)

The "our own servers" seems like a deliberate careful choice of words, to cast a shadow on any third-party provider that has access to the information for, let’s say, marketing purposes (see https://coinmarketcap.com/privacy/). This would also play along with there being no passwords in the leak.

This is not a good solution that many companies will accept. Most websites want the ability to send marketing emails and hashing the email address in their database will prevent that. Websites may also want to track email domains to watch for spammy domains and blacklist them accordingly.

Further, it would be better to have the information hashed by the server rather than in the browser. This way the server can enforce any restrictions on email addresses. If the hashing is done in the browser, someone could calculate the hash of “foo@bar” (no dot com), and send this hash to the server. The website would have no way of knowing the user is using an invalid email. Similarly, if the password is sent via hashed format, the server would have no way of knowing if it meets complexity requirements. The server should receive the password in plaintext format, perform regex on it to confirm complexity requirements, then should be hashed prior to being sent to the database.

Most importantly, hashing information in the browser means an attacker can trivially login using the hashes of the email and password. If the hashed email addresses and passwords leak, a hacker could send the hashed email and password to the server and access the account. This would be the same as storing passwords in plain text.

---

If you read the blog post in the OP, you will see that CMC is saying they don’t believe the leaked information came from CMC. They are saying they believe that someone used a list of email/password combinations leaked from other sites, and used these combinations to try to login. When logins were successful, the hacker knew that the email was associated with an account at CMC.

This is why I only browse through most of this web market platforms. I hardly make any registration despite the airdrops and giveaway used to entice new users to gain traffic.
Now that users information has been leaked, that's a breach of privacy but what can you do about it, just move on and don't make the same mistakes of using your main email for registration.

I have setup hotmail account times without number without including my phone number, all I do is I used VPN, later after two weeks it will demand for phone number which will be mandatory after some time gone but anytime I want to login, but I think it usually take two weeks but I have forgotten. Proton mail will request for email, but it has been long I used proton mail, but it is still on of my favorite.

Maybe I misunderstood your post, but ProtonMail requires a phone number or a secondary email account when you create a new email address. They will send you a one-time code that you need to copy and paste before the new account is set up. You will have to send this code to an alternative email or via SMS. They will also ask you to enter a second email or phone number in case you need to recover the password for your ProtonMail account. This step can be skipped though.

If they indeed store it like this, there is still a risk of compromise. Even leaking the email addresses alone is a risk since they will be spammed.

One easy way of mitigating that would be to store hashes of everything. For example the database wants to store [email protected] but instead of storing the plaintext it hashes it and stores "0c7e6a405862e402eb76a70f8a26fc732d07c32931e9fae9ab1582911d2e8a3b". When user searches that string, again they hash it in browser and send the hash to server which will be searched inside db. This way if the db is leaked all the hacker gets is useless hashes.

This things happens all the time, I might be in there.

OMG. spam and rubbish mails will be flying now. many accounts will be hacked but there is always a solution. anybody with an account on coinmarketcap should avoid opening emails with attachments. users should avoid opening or downloading emails with bitcoin attachments. they are likely virus and will attack your system and steal your details.

Oh yeah, I understand now. It's disposable since you could just get rid of it. I will try to take advantage of my subscription with iOS and try the "Hide My Email" feature thing that they are talking about. They automatically assign random numbers words with it, I guess it would be a great start.

---

I think the only thing that they could do is just spam those email address that they are going to get, right? So if I got it correctly, there's nothing to "calculate" or engineer to crack passwords or stuff?

That db would not be useful because it's just a list of compromised email addresses, and a separate list of compromised passwords, without any links in between. The site names are not written into the database AFAIK.

Correct, but those are only for paid accounts. A paid account only costs 0.00076 BTC for a year though, and that gives you 5 different addresses.

Sure you will, but at least you can have one "disposable" email which you use to sign up for things like CoinMarketCap where you know just to ignore all the emails it receives, and have a separate "important" email which you use for sensitive financial accounts.

You could receive phishing emails inviting you to enter your seed phrase to claim an airdrop or altcoin giveaway. You could receive fake emails from exchanges, services, and other platforms, containing links to fake websites which will prompt you for your username and password. You could receive emails with attached clipboard malware, keyloggers, or other malware which they will try to make you download. You could receive emails threatening you with release of some private information unless you pay a ransom. The possibilities are endless, but they all still require you to mess up to fall victim to them.

Doesn't even need to be an employee of Binance or CMC. If you look at their Privacy Policy, they share your information with any number of third parties "to contact you about our programs, products, features or services" and "to tailor content, advertisements, and offers for you". When you make an account at CMC, this is what you sign up for - Binance to share you information with any third parties which will pay them.

I don't really trust anything they say, now even CZ had to write something on twitter and we all remember how Binance customer data got leaked and they first denied it.

It's better to use separate temp and disposable email accounts when registering for Coinmarketcap and other similar websites.
You can also check if your email has been pwned and I would suggest using other email for Bitcointalk forum.

It's enough to have one pissed ex employee to do that and it's true we had similar examples in past.
They don't even have to sell anything, it's enough that they don't care about security and safety of their data, so they indirectly allow leaks to happen.

My advice, anticipate now by moving all assets stored on the Binance exchange. email data leak CMC is warning 1 and warning 2 if you ignore it.

as far as Im concerned they fetch the email data on the bounty spreadsheet for individual airdrop promotions only. what's more dangerous is the email you registered on the binance exchange.

I have a coinmarketcap account also. Email registered is completely different from those I use for exchanges and etc. I havent started receiving spam emails. But, this email has been used for several other services. Should I really be warned of something? What kind of harm can I get, despite receiving spam? We have lots of bounty spreadsheets with emails, telegram account names, forum names. With simple 2+2 logic lots of things can be linked due that. This is more dangerous than just an email data base leak. Isnt it ?

Uh, damn, I just saw this thread, I have an account on Coinmarketcap, yes I understand now lately a lot of messages are not important aka spam, yesterday I deleted more 10 unsubstantiated incoming messages.

I was really busy without seeing this warning, now i changed everything gmail and password too, thanks again to: @dkbit98 for creating this thread.

it's a disaster for those who didn't see this thread.

I saw on their site that they have aliases, I think that's one way to have multiple accounts and use it for different services (social media, crypto stuff, banking) and prevent an actual compromise of what your email is but if they still send you a spam email, won't you still receive it right?

Do you think it's advisable to use aliasing? With iOS devices, if you have the iCloud+, you have the option to hide your email that forwards it to your main email. Is it safe with that as well?

Emails can be hacked and compromised. All services should allow you to change your registered email address for safety reasons.

I like ProtonMail, and they certainly have a good reputation for privacy, but you should be aware of under what situations they may be forced to break some of that privacy, since there was a recent case which they were forced to comply with Swiss law and hand over IP addresses (but all actual email contents remained encrypted and inaccessible). You'll find other privacy conscious email providers here:
https://www.privacytools.io/#email
https://prxbx.com/email/

ProtonMail Terms and Conditions limit you to a single free account, so if you want more than one account, you'll need to pay for it. I prefer to use different providers though - if I have an email for personal stuff, an email for banking, an email for social media, and an email for crypto, all with the same provider and I consistently access them all simultaneously or in succession from the same IP address, then it becomes fairly obvious to that provider that they are linked.

I just assumed that you cannot change the email on some services but not explored all. My email being used in some bank accounts was compromised a long time ago, and I'm thinking of changing it. I kept on receiving those phishing and scam emails with all the google docs and stuff and it is irritating.

I'm actually planning to do it. How do you deal with multiple emails? Like is it applicable with proton mail? Proton email is a good email service right?

Exactly. The sites which they own rank themselves as number one. What a surprise! Which exchange is the number one for privacy? Not Binance. What about security of your coins? Also not Binance. Security of your data? Definitely not Binance.

All email accounts are replaceable. What service have you signed up for which doesn't let you replace your email account?

If you have an email account which you really feel is not replaceable, then don't use it for anything else except the bare minimum you must use it for and don't share it with anyone or any service unnecessarily in order to keep it clean and spam-free. Create additional email addresses for everything else.

I received some random main on my email address that I used on coinmarketcap, The email used is a fresh email that I dedicate when I create account there. I'm receiving email with Russian text that has an attached file and there's a word of Bitcoin on text. I think this is the issue on that spam mail, Glad I didn't open any of it and until now, I'm still receiving email from different mail with same content daily.

I will try to post screenshot here later today once I get to my pc.

Maybe they sold their database to the highest bidders. It certainly wouldn't be the first time someone does this
Either way I'm not sure whether to laugh or cry that there are still people who give their main email address to a website that doesn't need it since its whole purpose is to provide "data" which they don't even do that properly either.

Just a crazy thought upon reading this thread. What if the haveibeenpwned database has been pwned as well? Subscriber-based type sites are always prone to hacking.

Anyway, it's crazy that a lot of hackers are finding ways to get information from certain websites. Imagine how much more could they do if they can get it from CMC. What else right? It's just a matter of time that there are more breaches to even more famous sites.

---

I have a question about what you should do on an important email. Like it's not replaceable. If this is the route you are going to take, I think you should just be careful on emails, right?

Please make sure you stake your message for your account in Stake your Bitcoin address here. It is as same as with email, to be safe, just in case, you should use an empty wallet with a single address that is used for staking.

About email, I agreed with @Lucius and I recommended too, use different emails for different use cases. If you one email for all purposes, it is too risky.

As said, use an important email for registration on any website you want AND make sure you use a different password for different email too.

Don't send back and forth emails between yours because it will create connections between your emails.

I'm not using Coinmarketcap and I don't have an account here but I do have an account on Coingecko, but this is a warning for me to change my
email on Coingecko if they can do it on Coinmarketcap they can do it to other market aggregators, this is a big blow for Binance they are running the Coinmarketcap site and people trust them for their security set up, let's see now if they can catch these hackers.

Yes right after buying the ranking sites and who knows what others projects they have taken ownership of. If I'm not mistaking Binance wasn't on the top of the list when it comes to exchanges before they acquired Coinmarketcap. I'm not trying to take anything away from the progress of the exchange but just know when you control the system, you can't be 100% trusted. They'll do anything to keep the trust of the community including lieing to their customers.

Binance owns Coinmarketcap and due to the airdrops and other promotions ongoing, individual probably have email linked between both platform. I remember seeing an airdrop ones on the site (coinmarketcap) that caught my interest and when I tried registering I was asked for my Binance ID which also means this information could also be compromised but they won't disclosed that. They'll always want you to believe your information and funds are safe with them but they aren't.

Well, Binance seems to occupy the number one spot on ranking of exchanges and these comes with some sentiments of being best and most secured even though, they might have been hacked a few times. The position they occupy seems to inspire some level of trust amongst users and the possible refund of stolen coins is another addition.

Though, this doesn't apply to stolen information  or privacy details and like o_e_l_e_o stated, a lot could be donne with your stolen information not excluding taking of loans and defrauding people. Even if the leak has it's origin from Binance or coinmarketcap leak, it cannot be proved conclusively and as such, the company won't take responsibility for damages cost.

Upon reading this thread I quickly checked my email account and it seems I didn't receive any, can you quote it here what you've received or how to determine that your email account associated with Coinmarketcap has been leaked or compromised?

In their Twitter account, there's no leak to their server as they said.

There's no really safe on the internet and everything is vulnerable to hacking, it's a good thing they announced that they didn't have been hacked.
A little bit worried because I used my email here in Bitcointalk that linked to Coinmarketcap and I think it needs to change.

Compensating people for coins which are lost is one thing. Compensating people for information which is stolen is impossible. Are Binance going to pay your legal fees when you have to defend yourself in court for insurance fraud you didn't commit because someone stole your identity? Are Binance going to pay your bank for the $50,000 in loans someone else took out against your name? Are Binance going make things right when you are turned down for a mortgage or a car because your credit score is shot because of a bunch of credit cards you never opened? I don't think so.

We have seen time and again that being large, reputable, well known, having large numbers of customers, having large trading volumes, having a wide selection of coins, etc., all means next to nothing when it comes to security. Pretty much every large exchange has leaked or sold customer data on more than one occasion. The only safe KYC is no KYC at all, and yet most people are more than happy to send all the information needed to steal their identity to a variety of complete strangers.

Maybe they believe that Binance will compensate for users if their exchange is hacked. They did it in the past but it is not guarantee that they will do it in the future.

People flock to Binance because the exchange has big trading volume and people can easily to finish their trade. Many coins get good rises after listing on Binance and it can be one of other reasons people flock to Binance.

Thats exactly it and something people dont realise, it might just be a email address but its
another piece of the jigsaw to enable hackers to access more and more of our personal
information and/or online accounts.

Thankfully I dont have a CMC account but I have all my other online crypto accounts changed
to a useless gmail account which I can delete/ignore in future.

They also have 3.1 million email addresses of people who are definitely involved in crypto, and almost all of which will have a couple of exchange accounts using the same email address. Now they cross reference those email addresses against database leaks from other services in which passwords were also leaked, and start trying to break in to these emails since far too many people reuse passwords across several (or even all) of their accounts.

You answered your own question. Most people either won't even know their details have been hacked, or are too clueless to care. Binance have been hacked multiple times in the past as you point out, and yet people continue to flock to them.

How do Binance let a website that is owned and operated by them was hacked like this. It destroys their reputation in this industry.

Binance has hack in the past. Hackers steal over $40 million worth of bitcoin from one of the world’s largest cryptocurrency exchanges and they had KYC leak too

I use one email to register for newsletter and things are not related to my accounts on crypto exchanges.
[Guide] How to know if your email address was part of any data breach. If you ar curious and want to check your email with Haveibeenpwned.com

This database is actually a goldmine for people who know how to exploit it correctly. Imagine having access to 3.1 million email addresses from people who will sign up for any and every dollar they can get. I reckon a good portion of them will click on whatever you feed them.

Should've either used a throw-away when signing up for garbage or used an alias for your main email. Also how exactly is your email compromised? As long as you didn't reuse passwords and your password wasn't super-specific I doubt this will lead to anything. Also that first sentence, ironic?


If you used the same password for your email and CMC account and the password is in a common wordlist to compare the hashes to, else i wouldn't worry too much about that particular issue. Spam is probably going to be your main groove.

God, the world (either the real world or the digital world) is not a safe place to live in as long as evil and greedy people still exist. I can confirm that my email was compromised with the CMC leaked. I've already changed the password and all but I can't throw it cause I still need to use it. However, I will be super extra cautious about emails coming and should warn myself not to open them recklessly. It's really frustrating but it's the fact that we should face in our daily life now.

Nevertheless, email addresses are already being actively sold on hacker forums. And the most "bored" hackers may be interested in turning on their brute force for password collection. And as a result, the further fate of the hacked mail can be completely unhappy.
You don't need to be a boring teacher who constantly insists that for your own safety, it is better to always create a separate mail for different needs, And this rule is confirmed for the hundredth time.

Another day, another centralized service leaking user information across the internet. Owned by Binance, have no idea how their database was accessed, and unable to confirm or deny if other information was also accessed. Really fills you with confidence!

I suspect we will see scam emails along the lines of "Free airdrops", "Early access NFTs", or other fake promotions from CMC, redirecting users to a site where they need to enter their seed phrase to receive the giveaway. That's the usual process.

they said only emails without password im sub to haveibeenpwned and i received the mail today

I can confirm this. My email address was also compromised in the CMC leak. Luckily, I used an email address that has already been pwned in 22 other data breaches so I have no reason to worry. Spam is part of our daily lives. 

Weird they don't know how the hack occurred (or don't want to say).

I've seen this announcement and luckily I don't use any email for using coinmarketcap instead only using their portfolio version for free without any need of logging in.

I think users must rush changing their details as this could lead to many spams that users might clicked on and become victim of scams links. Thanks for sharing this here OP.

I have a way to create an email without my real name or phone number included, or to use proton mail which is not centralised like others. But about Coinmarketcap, I have nothing doing on the site than to check price, I do not have portfolio on the site because I did not want to register even with email, but the site is still accessible without email but many people do not know about this because it will bring up email for login after the app is opened, but can be bypassed. I use it without email, only that I will not be able to track coins and have portfolios which I do not have agenda of having.

If you have account at Coinmarketcap (that is owned by Binance exchange btw) you should think about changing email address and use new unique password, because of the hack that happened on October 12 that leaked 3,117,548 email addresses!
Consider that email address you used for CMC account is now compromised, don't be surprised if you start to receive some spam and scam emails, so you should not use it anymore.

Coinmarketcap confirmed that hack happened and today they released blog post claiming that there was no password exploits, but only email addresses and they still don't know exact cause of the hack.
https://coinmarketcap.com/alexandria/article/good-security-habits

Report from haveibeenpwned website:
https://haveibeenpwned.com/PwnedWebsites#CoinMarketCap