Operators of the Poloniex cryptocurrency exchange have asked certain customers to change their email passwords after hackers claimed they leaked user data on Twitter.
An excerpt from a letter sent by Poloniex to affected customers states:
“A couple of hours ago we discovered that someone leaked a list of email addresses an passwords on Twitter, claiming the information could be used to log in to Poloniex accounts.”
Although the letter claims “almost all” of the leaked emails are inauthentic, it also says that the exchange is, “forcing a password reset on any email addresses listed that do have an account with us, including yours.”
One recipient of the letter thought it was a scam and posted to that effect on Twitter, stating, “@Poloniex be careful with this Scam email we are getting in our emails.”
— Charly (@charlysatoshi) December 30, 2019
Poloniex Customer Support responded to the poster: “This is a real email! Please reset your password for account security.”
After owning the exchange for less than two years, Circle sold Poloniex to, “an undisclosed Asian investment group,” in October. As of this year, customers in the U.S. are no longer allowed to trade on the platform.
In November, BitMEX, a Hong Kong-based, Seychelles-registered cryptocurrency exchange BitMEX, accidentally exposed the email addresses of up to 400 000 customers.
BitMEX is known for offering 100X leveraged trades of bitcoins.
The breach occurred when BitMEX sent a mass email to exchange users but failed to blind CC recipient addresses.
BitMEX said in a November 1st blog post that the incident resulted from a “software error which has now been addressed.” Rumours also circulated at the time, however, stating that a person responsible for the error was fired.
According to BitMEX’s November 1st blog post:
“Earlier today, some of our users received an email which contained the email addresses of other users in the ‘to’ field. We apologise for the concern this communication may have caused.”
A breach of this kind is very serious because personal information of known users of cryptocurrencies is very valuable on the Dark Net.
Personal information may be used to hack phones, bank and cryptocurrency exchange accounts and/or social media profiles.
The emails could also be used to distribute phishing emails containing malware-designed to mine cryptocurrencies or infect cryptocurrency wallets present on an individual’s own computer.
Crypto-stealing malware that affects wallets can hi-jack transfers of cryptocurrencies and send them to software wallets controlled by hackers.