Poloniex resets customer passwords after alleged data leak that wasn’t
Cryptocurrency exchange Poloniex, owned by Circle Internet Financial Ltd. has reset some customer passwords after suffering an alleged data leak that actually turned out not to be.
The so-called data leak first appeared on Twitter with the information claimed to be related to Poloniex accounts including login credentials. In an email to affected customers, the company said that “while almost all of the [leaked] email addresses listed do not belong to Poloniex accounts, we are forcing a password reset on any email addresses that do have an account with us, including yours.”
Usually by this point in a data leak story there would be something about a potential hack but this turns out to be a somewhat new twist on reused breached credentials.
Writing on The Poloniex Blog Thursday, the company explained that while they acted out of precaution in resetting around 1% of customer passwords that were on the alleged data leak list, further investigation had found that there was no data leak at all, at least on Poloniex’s side. The user credentials in the list were all previously breached usernames and passwords from other sites.
“Our investigation has concluded that approximately 90% of the passwords listed already appear in the haveibeenpwned.com list of exploited passwords,” Poloniex wrote. “Additionally, our security team is in touch with haveibeenpwned.com and has requested that they update their database to include additional missing information we have identified.”
Jonathan Knudsen, senior security strategist at electronic design automation firm Synopsys Inc,. told SiliconANGLE that “cryptocurrency systems, by design, are difficult to attack” as “they use strong cryptographic protections for data integrity and their distributed architecture makes them resistant to attack.”
“Cryptocurrency exchanges, however, are a lightning rod for trouble,” Knudsen explained. “Customers use exchanges to convert cryptocurrencies to and from other currencies, which means tremendous wealth flows through a centralized system that serves as a single high-value attack target.’
Noting that the prompt and proactive response by Poloniex should help minimize damage, Knudsen said users concerned about the security of their accounts should reset their account passwords, choose a strong password and enable two-factor authentication.
“To some degree, securing an account is like being chased by a bear—you just have to run faster than one other person,” Knudsen added. “If an attacker is trying to compromise accounts, and you have a strong password and 2FA enabled, the attacker will probably target another user with a weak password and no 2FA.”
Breached credentials used for hacking on other sites and services could be one of the biggest trends in the security sphere in 2020. Hackers have always used breached credentials in the past but they’re about to get a lot more attention following a lawsuit filed against Ring LLC Dec. 29.
The litigant, who had his camera hacked and is seeking class-action status for the lawsuit as well, claims that Ring and parent company Amazon.com Inc. were negligent in their provision of security. In this case, however, all the hacks involved those accessing the cameras using previously breached credentials from other sites, the litigants using the same credentials on Ring. The case will test whether companies are legally responsible for the stupidity of their users.
Image: Polinex/screenshot
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU