“Earlier this week we emailed a small group of our customers (about 1% of our total base), requiring them to reset their Poloniex password in response to a tweet claiming to contain a list of leaked email addresses and passwords. To confirm, there was no information or data leak originating from Poloniex and our actions represented a swift response to an external threat.”
Yesterday Poloniex sent an email to select customers warning them that they may have had their data exposed in a Twitter breach. The letter stated:
“A couple of hours ago we discovered that someone leaked a list of email addresses an passwords on Twitter, claiming the information could be used to log in to Poloniex accounts.”
Though the letter claimed that “almost all” of the leaked emails were inauthentic, it also told customers that the exchange was, “forcing a password reset on any email addresses listed that do have an account with us, including yours.”
Poloniex says its first priority for issuing the warnings and taking action yesterday was, “to ensure that our customers’ accounts were safe. As a result, we reset the passwords of potentially impacted customers, as users often reuse passwords or minor variants of the same password.”
The exchange’s second priority, “was to determine the source of the leak..”
Poloniex says it determined that the leak was mostly a hoax:
“(W)e can now confirm that neither this list, nor the information contained, originated from Poloniex…(and) less than 5% of the email addresses on the posted list were associated with Poloniex accounts.
Whoever posted the tweet may have gleaned the information from haveibeenpwned.com, Poloniex says.
Haveibeenpawned.com is a site that allows users to check if their email addresses are cached or for sale on Dark Net archives.
The exchange says any Poloniex customers that did not hear directly from them were unaffected by the matter.