Bitcoin Forum

If you have account at Coinmarketcap (that is owned by Binance exchange btw) you should think about changing email address and use new unique password, because of the hack that happened on October 12 that leaked 3,117,548 email addresses!
Consider that email address you used for CMC account is now compromised, don't be surprised if you start to receive some spam and scam emails, so you should not use it anymore.

Coinmarketcap confirmed that hack happened and today they released blog post claiming that there was no password exploits, but only email addresses and they still don't know exact cause of the hack.
https://coinmarketcap.com/alexandria/article/good-security-habits

Report from haveibeenpwned website:
https://haveibeenpwned.com/PwnedWebsites#CoinMarketCap

I have a way to create an email without my real name or phone number included, or to use proton mail which is not centralised like others. But about Coinmarketcap, I have nothing doing on the site than to check price, I do not have portfolio on the site because I did not want to register even with email, but the site is still accessible without email but many people do not know about this because it will bring up email for login after the app is opened, but can be bypassed. I use it without email, only that I will not be able to track coins and have portfolios which I do not have agenda of having.

I've seen this announcement and luckily I don't use any email for using coinmarketcap instead only using their portfolio version for free without any need of logging in.

I think users must rush changing their details as this could lead to many spams that users might clicked on and become victim of scams links. Thanks for sharing this here OP.

I can confirm this. My email address was also compromised in the CMC leak. Luckily, I used an email address that has already been pwned in 22 other data breaches so I have no reason to worry. Spam is part of our daily lives.  :D

Weird they don't know how the hack occurred (or don't want to say).

they said only emails without password im sub to haveibeenpwned and i received the mail today

Another day, another centralized service leaking user information across the internet. Owned by Binance, have no idea how their database was accessed, and unable to confirm or deny if other information was also accessed. Really fills you with confidence! ::)

I suspect we will see scam emails along the lines of "Free airdrops", "Early access NFTs", or other fake promotions from CMC, redirecting users to a site where they need to enter their seed phrase to receive the giveaway. That's the usual process.

Nevertheless, email addresses are already being actively sold on hacker forums. And the most "bored" hackers may be interested in turning on their brute force for password collection. And as a result, the further fate of the hacked mail can be completely unhappy.
You don't need to be a boring teacher who constantly insists that for your own safety, it is better to always create a separate mail for different needs, And this rule is confirmed for the hundredth time.

God, the world (either the real world or the digital world) is not a safe place to live in as long as evil and greedy people still exist. I can confirm that my email was compromised with the CMC leaked. I've already changed the password and all but I can't throw it cause I still need to use it. However, I will be super extra cautious about emails coming and should warn myself not to open them recklessly. It's really frustrating but it's the fact that we should face in our daily life now.

This database is actually a goldmine for people who know how to exploit it correctly. Imagine having access to 3.1 million email addresses from people who will sign up for any and every dollar they can get. I reckon a good portion of them will click on whatever you feed them.

Should've either used a throw-away when signing up for garbage or used an alias for your main email. Also how exactly is your email compromised? As long as you didn't reuse passwords and your password wasn't super-specific I doubt this will lead to anything. Also that first sentence, ironic?


If you used the same password for your email and CMC account and the password is in a common wordlist to compare the hashes to, else i wouldn't worry too much about that particular issue. Spam is probably going to be your main groove.

How do Binance let a website that is owned and operated by them was hacked like this. It destroys their reputation in this industry.

Binance has hack in the past. Hackers steal over $40 million worth of bitcoin from one of the world’s largest cryptocurrency exchanges (https://www.cnbc.com/2019/05/08/binance-bitcoin-hack-over-40-million-of-cryptocurrency-stolen.html) and they had KYC leak too (https://www.coindesk.com/binance-kyc-issue)

I use one email to register for newsletter and things are not related to my accounts on crypto exchanges.
[Guide] How to know if your email address was part of any data breach (https://bitcointalk.org/index.php?topic=5201569.0). If you ar curious and want to check your email with Haveibeenpwned.com (https://haveibeenpwned.com/)

They also have 3.1 million email addresses of people who are definitely involved in crypto, and almost all of which will have a couple of exchange accounts using the same email address. Now they cross reference those email addresses against database leaks from other services in which passwords were also leaked, and start trying to break in to these emails since far too many people reuse passwords across several (or even all) of their accounts.

You answered your own question. Most people either won't even know their details have been hacked, or are too clueless to care. Binance have been hacked multiple times in the past as you point out, and yet people continue to flock to them.

Thats exactly it and something people dont realise, it might just be a email address but its
another piece of the jigsaw to enable hackers to access more and more of our personal
information and/or online accounts.

Thankfully I dont have a CMC account but I have all my other online crypto accounts changed
to a useless gmail account which I can delete/ignore in future.

Maybe they believe that Binance will compensate for users if their exchange is hacked. They did it in the past but it is not guarantee that they will do it in the future.

People flock to Binance because the exchange has big trading volume and people can easily to finish their trade. Many coins get good rises after listing on Binance and it can be one of other reasons people flock to Binance.

Compensating people for coins which are lost is one thing. Compensating people for information which is stolen is impossible. Are Binance going to pay your legal fees when you have to defend yourself in court for insurance fraud you didn't commit because someone stole your identity? Are Binance going to pay your bank for the $50,000 in loans someone else took out against your name? Are Binance going make things right when you are turned down for a mortgage or a car because your credit score is shot because of a bunch of credit cards you never opened? I don't think so.

We have seen time and again that being large, reputable, well known, having large numbers of customers, having large trading volumes, having a wide selection of coins, etc., all means next to nothing when it comes to security. Pretty much every large exchange has leaked or sold customer data on more than one occasion. The only safe KYC is no KYC at all, and yet most people are more than happy to send all the information needed to steal their identity to a variety of complete strangers.

Upon reading this thread I quickly checked my email account and it seems I didn't receive any, can you quote it here what you've received or how to determine that your email account associated with Coinmarketcap has been leaked or compromised?

In their Twitter account (https://twitter.com/CoinMarketCap/status/1451813671961833473), there's no leak to their server as they said.

There's no really safe on the internet and everything is vulnerable to hacking, it's a good thing they announced that they didn't have been hacked.
A little bit worried because I used my email here in Bitcointalk that linked to Coinmarketcap and I think it needs to change.

Well, Binance seems to occupy the number one spot on ranking of exchanges and these comes with some sentiments of being best and most secured even though, they might have been hacked a few times. The position they occupy seems to inspire some level of trust amongst users and the possible refund of stolen coins is another addition.

Though, this doesn't apply to stolen information  or privacy details and like o_e_l_e_o stated, a lot could be donne with your stolen information not excluding taking of loans and defrauding people. Even if the leak has it's origin from Binance or coinmarketcap leak, it cannot be proved conclusively and as such, the company won't take responsibility for damages cost.

Yes right after buying the ranking sites and who knows what others projects they have taken ownership of. If I'm not mistaking Binance wasn't on the top of the list when it comes to exchanges before they acquired Coinmarketcap. I'm not trying to take anything away from the progress of the exchange but just know when you control the system, you can't be 100% trusted. They'll do anything to keep the trust of the community including lieing to their customers.

Binance owns Coinmarketcap and due to the airdrops and other promotions ongoing, individual probably have email linked between both platform. I remember seeing an airdrop ones on the site (coinmarketcap) that caught my interest and when I tried registering I was asked for my Binance ID which also means this information could also be compromised but they won't disclosed that. They'll always want you to believe your information and funds are safe with them but they aren't.

I'm not using Coinmarketcap and I don't have an account here but I do have an account on Coingecko, but this is a warning for me to change my
email on Coingecko if they can do it on Coinmarketcap they can do it to other market aggregators, this is a big blow for Binance they are running the Coinmarketcap site and people trust them for their security set up, let's see now if they can catch these hackers.

Please make sure you stake your message for your account in Stake your Bitcoin address here (https://bitcointalk.org/index.php?topic=996318.0). It is as same as with email, to be safe, just in case, you should use an empty wallet with a single address that is used for staking.

About email, I agreed with @Lucius and I recommended too, use different emails for different use cases. If you one email for all purposes, it is too risky.

As said, use an important email for registration on any website you want AND make sure you use a different password for different email too.

Don't send back and forth emails between yours because it will create connections between your emails.

Just a crazy thought upon reading this thread. What if the haveibeenpwned database has been pwned as well? Subscriber-based type sites are always prone to hacking.

Anyway, it's crazy that a lot of hackers are finding ways to get information from certain websites. Imagine how much more could they do if they can get it from CMC. What else right? It's just a matter of time that there are more breaches to even more famous sites.

---

I have a question about what you should do on an important email. Like it's not replaceable. If this is the route you are going to take, I think you should just be careful on emails, right?

Maybe they sold their database to the highest bidders. It certainly wouldn't be the first time someone does this :D
Either way I'm not sure whether to laugh or cry that there are still people who give their main email address to a website that doesn't need it since its whole purpose is to provide "data" which they don't even do that properly either.

I received some random main on my email address that I used on coinmarketcap, The email used is a fresh email that I dedicate when I create account there. I'm receiving email with Russian text that has an attached file and there's a word of Bitcoin on text. I think this is the issue on that spam mail, Glad I didn't open any of it and until now, I'm still receiving email from different mail with same content daily.

I will try to post screenshot here later today once I get to my pc.

Exactly. The sites which they own rank themselves as number one. What a surprise! Which exchange is the number one for privacy? Not Binance. What about security of your coins? Also not Binance. Security of your data? Definitely not Binance.

All email accounts are replaceable. What service have you signed up for which doesn't let you replace your email account?

If you have an email account which you really feel is not replaceable, then don't use it for anything else except the bare minimum you must use it for and don't share it with anyone or any service unnecessarily in order to keep it clean and spam-free. Create additional email addresses for everything else.

I just assumed that you cannot change the email on some services but not explored all. My email being used in some bank accounts was compromised a long time ago, and I'm thinking of changing it. I kept on receiving those phishing and scam emails with all the google docs and stuff and it is irritating.

I'm actually planning to do it. How do you deal with multiple emails? Like is it applicable with proton mail? Proton email is a good email service right?

Emails can be hacked and compromised. All services should allow you to change your registered email address for safety reasons.

I like ProtonMail, and they certainly have a good reputation for privacy, but you should be aware of under what situations they may be forced to break some of that privacy, since there was a recent case which they were forced to comply with Swiss law and hand over IP addresses (but all actual email contents remained encrypted and inaccessible). You'll find other privacy conscious email providers here:
https://www.privacytools.io/#email
https://prxbx.com/email/

ProtonMail Terms and Conditions limit you to a single free account, so if you want more than one account, you'll need to pay for it. I prefer to use different providers though - if I have an email for personal stuff, an email for banking, an email for social media, and an email for crypto, all with the same provider and I consistently access them all simultaneously or in succession from the same IP address, then it becomes fairly obvious to that provider that they are linked.

I saw on their site that they have aliases, I think that's one way to have multiple accounts and use it for different services (social media, crypto stuff, banking) and prevent an actual compromise of what your email is but if they still send you a spam email, won't you still receive it right?

Do you think it's advisable to use aliasing? With iOS devices, if you have the iCloud+, you have the option to hide your email that forwards it to your main email. Is it safe with that as well?

Uh, damn, I just saw this thread, I have an account on Coinmarketcap, yes I understand now lately a lot of messages are not important aka spam, yesterday I deleted more 10 unsubstantiated incoming messages.

I was really busy without seeing this warning, now i changed everything gmail and password too, thanks again to: @dkbit98 for creating this thread.

it's a disaster for those who didn't see this thread.

I have a coinmarketcap account also. Email registered is completely different from those I use for exchanges and etc. I havent started receiving spam emails. But, this email has been used for several other services. Should I really be warned of something? What kind of harm can I get, despite receiving spam? We have lots of bounty spreadsheets with emails, telegram account names, forum names. With simple 2+2 logic lots of things can be linked due that. This is more dangerous than just an email data base leak. Isnt it ?

My advice, anticipate now by moving all assets stored on the Binance exchange. email data leak CMC is warning 1 and warning 2 if you ignore it.

as far as Im concerned they fetch the email data on the bounty spreadsheet for individual airdrop promotions only. what's more dangerous is the email you registered on the binance exchange.

I don't really trust anything they say, now even CZ had to write something on twitter and we all remember how Binance customer data got leaked and they first denied it.

It's better to use separate temp and disposable email accounts when registering for Coinmarketcap and other similar websites.
You can also check if your email has been pwned and I would suggest using other email for Bitcointalk forum.

It's enough to have one pissed ex employee to do that and it's true we had similar examples in past.
They don't even have to sell anything, it's enough that they don't care about security and safety of their data, so they indirectly allow leaks to happen.

Correct, but those are only for paid accounts. A paid account only costs 0.00076 BTC for a year though, and that gives you 5 different addresses.

Sure you will, but at least you can have one "disposable" email which you use to sign up for things like CoinMarketCap where you know just to ignore all the emails it receives, and have a separate "important" email which you use for sensitive financial accounts.

You could receive phishing emails inviting you to enter your seed phrase to claim an airdrop or altcoin giveaway. You could receive fake emails from exchanges, services, and other platforms, containing links to fake websites which will prompt you for your username and password. You could receive emails with attached clipboard malware, keyloggers, or other malware which they will try to make you download. You could receive emails threatening you with release of some private information unless you pay a ransom. The possibilities are endless, but they all still require you to mess up to fall victim to them.

Doesn't even need to be an employee of Binance or CMC. If you look at their Privacy Policy (https://coinmarketcap.com/privacy/), they share your information with any number of third parties "to contact you about our programs, products, features or services" and "to tailor content, advertisements, and offers for you". When you make an account at CMC, this is what you sign up for - Binance to share you information with any third parties which will pay them.

That db would not be useful because it's just a list of compromised email addresses, and a separate list of compromised passwords, without any links in between. The site names are not written into the database AFAIK.

Oh yeah, I understand now. It's disposable since you could just get rid of it. I will try to take advantage of my subscription with iOS and try the "Hide My Email" feature thing that they are talking about. They automatically assign random numbers words with it, I guess it would be a great start.

---

I think the only thing that they could do is just spam those email address that they are going to get, right? So if I got it correctly, there's nothing to "calculate" or engineer to crack passwords or stuff?

OMG. spam and rubbish mails will be flying now. many accounts will be hacked but there is always a solution. anybody with an account on coinmarketcap should avoid opening emails with attachments. users should avoid opening or downloading emails with bitcoin attachments. they are likely virus and will attack your system and steal your details.

This things happens all the time, I might be in there.

If they indeed store it like this, there is still a risk of compromise. Even leaking the email addresses alone is a risk since they will be spammed.

One easy way of mitigating that would be to store hashes of everything. For example the database wants to store foo@bar.com but instead of storing the plaintext it hashes it and stores "0c7e6a405862e402eb76a70f8a26fc732d07c32931e9fae9ab1582911d2e8a3b". When user searches that string, again they hash it in browser and send the hash to server which will be searched inside db. This way if the db is leaked all the hacker gets is useless hashes.

Maybe I misunderstood your post, but ProtonMail requires a phone number or a secondary email account when you create a new email address. They will send you a one-time code that you need to copy and paste before the new account is set up. You will have to send this code to an alternative email or via SMS. They will also ask you to enter a second email or phone number in case you need to recover the password for your ProtonMail account. This step can be skipped though.

I have setup hotmail account times without number without including my phone number, all I do is I used VPN, later after two weeks it will demand for phone number which will be mandatory after some time gone but anytime I want to login, but I think it usually take two weeks but I have forgotten. Proton mail will request for email, but it has been long I used proton mail, but it is still on of my favorite.

This is why I only browse through most of this web market platforms. I hardly make any registration despite the airdrops and giveaway used to entice new users to gain traffic.
Now that users information has been leaked, that's a breach of privacy but what can you do about it, just move on and don't make the same mistakes of using your main email for registration.

This is not a good solution that many companies will accept. Most websites want the ability to send marketing emails and hashing the email address in their database will prevent that. Websites may also want to track email domains to watch for spammy domains and blacklist them accordingly.

Further, it would be better to have the information hashed by the server rather than in the browser. This way the server can enforce any restrictions on email addresses. If the hashing is done in the browser, someone could calculate the hash of “foo@bar” (no dot com), and send this hash to the server. The website would have no way of knowing the user is using an invalid email. Similarly, if the password is sent via hashed format, the server would have no way of knowing if it meets complexity requirements. The server should receive the password in plaintext format, perform regex on it to confirm complexity requirements, then should be hashed prior to being sent to the database.

Most importantly, hashing information in the browser means an attacker can trivially login using the hashes of the email and password. If the hashed email addresses and passwords leak, a hacker could send the hashed email and password to the server and access the account. This would be the same as storing passwords in plain text.

---

If you read the blog post in the OP, you will see that CMC is saying they don’t believe the leaked information came from CMC. They are saying they believe that someone used a list of email/password combinations leaked from other sites, and used these combinations to try to login. When logins were successful, the hacker knew that the email was associated with an account at CMC.

Nevertheless, 3.1M leaked records seems like a massive figure to be produced by using the hypothesis they provide, especially if passwords were involved to ensure valid logins (which they could validate probably through their logs and searching for patters within the login times and attempts).

At some point, they did put special care in the wording to state that:
(see: https://twitter.com/CoinMarketCap/status/1451813671961833473)

The "our own servers" seems like a deliberate careful choice of words, to cast a shadow on any third-party provider that has access to the information for, let’s say, marketing purposes (see https://coinmarketcap.com/privacy/). This would also play along with there being no passwords in the leak.

Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors.  I would presume they would keep track of information shared with their various vendors, and if the list of leaked email addresses matched what was shared with that vendor, they would be able to blame that vendor. If the list of emails exceeds what they shared with any one vendor, it should be reasonable to say the leak did not come from any of their vendors.

Given that CMC accounts really don't contain much valuable information, it might not be unreasonable to think they are not employing sophisticated detection systems to try to detect unauthorized logins.  I would presume that someone logging into 3.1 million accounts would not do so from a single IP address, and a project of this scale would likely have been done over time, and using many IP addresses.

CMC claims (https://coinmarketcap.com/about/#:~:text=CoinMarketCap%20reaches%20hundreds%20of%20millions,%2C%20Instagram)%20and%20annual%20conference.) to "reach" hundreds of millions of users every year, so 3.1 million email addresses would likely be a small subset of all the email addresses in their database.

They also probably want to be careful to not acknowledge the email list is valid. Doing so would implicitly acknowledge that any email address on the list is an email address associated with a CMC account.

This gives me the answer of an old email I used, I received an email from a startup to look into their project and become first-hand investor LOL
PS: I did not know CMC is owned by Binance. CZ is doing everything to monopoly the crypto niche. Not good.

What else is owned by CZ? Get ready to get that hacked too 😉

Fun aside, it's the risk we always take when we deal with a centralized database.

That doesn't make them any less responsible. It is their responsibility to vet the parties they deal with and to ensure their security is up to scratch, and it is their responsibility to investigate if one of them has leaked data. If you give me $1000 to keep safe for you, and I give it to a drug addict who then blows it all on drugs, I can't shrug my shoulders and say "Well, I didn't lose it."

It is too much of a coincidence that a database of 3.1 million emails matches exactly with 3.1 million CMC accounts. If they didn't leak it, then someone they gave it to did.

Trust wallet. Also they have so much influence over it and have embedded so many things in to it, that Brave Browser is essentially owned by them too.

See the blog post (https://coinmarketcap.com/about/#:~:text=CoinMarketCap%20reaches%20hundreds%20of%20millions,%2C%20Instagram)%20and%20annual%20conference.) that is linked in the OP, and my first (https://bitcointalk.org/index.php?topic=5367146.msg58317529#msg58317529) post in this thread.

I was not defending CMC for leaking the emails via their vendor. I was responding to DdmrDdmr that he was suggesting that CMC's statement implies the leak could have come from one of their vendors. I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors.

CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account.

When bitcointalk was hacked, usernames, email addresses and password hashes were leaked. If someone were to use the leaked information to try to login to coinbase accounts that use the same email address and password combination, and subsequently publish a list of email addresses associated with coinbase accounts, it would not mean that coinbase was hacked. Someone could have used the leaked information from the forum, and leaked information from other bitcoin-related websites.

Sure they do. Just hire an independent third party to go and audit everyone that they share your data with. I'm sure it would be expensive since they probably share your data with dozens of third parties, but it's not impossible by any means.

And I don't buy that for a second. If you are to believe that story, then you believe some tried millions of username/password combinations (many more than the 3.1 million which were found to be valid) to break in to CMC accounts... for what? To see what coins everyone was watching? But they didn't break in to any exchange accounts, or web wallets, or casinos, or anything with value? Or even the email addresses themselves?

I’ve been searching around, and found the alleged 3,1 M Database on a given place where it was loaded as a freebie on the 13/10/2021. It includes just emails as we knew. Now the weird thing is that someone also uploaded a file on the 24/10/2021 with 2,3 M pairs of alleged login/passords from CMC, also for free. Not much explanation is provided alongside.

I took a brief ethical look, and found that this latter file with 2,3 M records really has only 745 K different emails. The files has many entries with multiples passwords per email, thus only rendering 745 K distinct emails. I crossed it with the 3,1 M record database, and 740 K emails coincided. I tried a couple of dozen random email/pwd (of those with unique entries in the pwd file), and only one logged in. The others were either not CMC emails, or had already changed their email.

Now this leave me a bit more puzzled. There is no explanation on how and when this login/pwd file was compiled. It could be a prior breach, or a compilation of crypto related credentials, branded as CMC related by someone at some point for some reason.

The fact that many emails have multiple passwords can only be justified by it being a compilation, or derived from some log or historical archieve of password changes. Nevertheless, the low successful login ratio from my test, seems to point to it been non-current or non-specific to CMC. I cannot really tell, and Tor login attempts are painstaking long to try out.

The fact that the emails largely do coincide with the CMC 3.1 M file, albeit only for 740K of the records, points to a relation between the two files, buy I still cannot attest to whether they are legit CMC in origin, or a compilation.

Having said that, CMC can easily know what’s what, and they can and should be more transparent about the nature of the 3,1M file, and more specifically at this stage, the degree of coincidence with the CMC database. Not undisclosing this seems of no real benefit rather than to speculation itself.

If they have not shared the entire list of emails with any one third party vendor, they can reasonably rule out the data coming from any vendor. I also don’t know that CMC would have the ability to force their vendors to be subject to intrusive audits by another third party, when they never even had access to the data that was leaked.

I presume the list was either sold by someone who did this, or that person(s) tried to sell it. Or they could have been trying to get credibility/reputation of some sort. They would have obviously automated the testing, so it’s not like there was one person trying millions of email/PW combinations.

I noted elsewhere that it is unusual for only emails to leak in a data breach.


I don’t think anyone has alleged that passwords were leaked from CMC. I think it would be very strange for someone to steal passwords, publish that email addresses were leaked then publish both emails and passwords without any explanation.

It is a best practice to not disclose specific security measures you are taking so adversaries can’t easily see holes in your security. But I would not be surprised if CMC at the very least forced users who were affected to reset their password via email the next time they logged in to CMC, if they didn’t proactively email those affected suggesting them to change their passwords.

I would also assume that many of the emails in question are receiving a decent amount of malicious emails from people trying to take advantage of the fact the emails in question are associated with someone involved in crypto. The uptick in these types of emails might get people to change their passwords.   

May be its only me, but I wouldn't stop using my email and move all that stuff to another just because it's prone to spam/phishing now.

So come out and say that, instead of this deliberately vague "no leak from our own servers" nonsense. This is the same kind of nonsense they pulled during the KYC leak Binance experienced back in 2019. They called it a "false leak", and their statement said "At the present time, no evidence has been supplied that indicates any KYC images have been obtained from Binance". (Emphasis mine). Just as with this hack, that statement is true but deliberately worded to obfuscate things - data was not obtained from Binance, just has it has not been obtained from CMC. And as we all know with the Binance leak, it was some sketchy third party that they sent the data to who ended up being the culprit. And just as they were responsible for that KYC leak from a third party, they are responsible for this email leak from a third party.

Binance have a responsibility to protect your data, and that includes checking the security practices of the third parties they share your data with. If a third party is unwilling to demonstrate their security is up to scratch, then why the hell are Binance sending your data to them? This is just negligent.

Majority email addresses will of airdrop participants. They are smart people, most of them would have created an email address just for airdrops. They already are getting tons of spam emails so they will be least bothered. Furthermore it is better to check coingecko than CMC.

So big names in the crypto eventually are selling their business to CZ and eventually some day we will see CZ is controlling the industry. CZ will be no difference than Google and Facebook owners.

This is a good idea. Diversification is very important. If you let one person to own everything in the market then eventually you are allowing monopoly business model. And monopoly does not bring good things in the industry.

Pretty much. Centralized exchanges have been rapidly discovering that while they can obviously make some nice profits from charging ridiculous trading and withdrawal fees (which I still can't understand why people seem happy to put up with), the real money is to be made with information and data. It's the same reason as why Facebook sell things like the Oculus at a loss and Google practically give away Google Home devices. They don't care about making profit with these things; they care about having them in your home, care about you using them and linking up all your accounts, and care about collecting your data.

Coinbase went as far as to create their own blockchain analysis department, which they contract out to anyone who will pay, including multi-million dollar contracts to various governments and their agencies, including the CIA, FBI, DEA, and IRS. Binance bought out CMC to gather data on all its users, and have inserted their code and software all over Brave Browser to track its users too. Your data is far more valuable to these companies than the fees you are paying them.

There are many exchanges that share your data with many other exchanges and networks. This is not a new thing, it has been happening, of course, in front of your eyes or behind the eyes. The emails that come from many other companies come because you must have registered somewhere, they have sold your data to some other project. So that they can promote their project. In today's time there is no such thing as privacy. Facebook has so much of your data that it can force you to think whatever they want. In the long run, big companies think that they will rule the world. Front will be the government and behind the decision makers will be the people of these companies. Everywhere they will make laws that suit them so that no one could challenge them even legally.

Yeah majority but there's a 100k maybe more that's a crypto newbie that using there own email to get an official update on coinmarketcap. I have a friend that using personal email on coinmarketcap because he is wants to received on news from it as soon as possible so if he preferred his personal email that he always check.

Good thing is I already brief him about all the dangers on using personal and what he will expect.

Agree with every o_e_l_e_o said.
This is the era of information. Random information will not make any sense but the agency and company knows how to analyse the same information and monetize it, they are .dominating the industry. Facebook understood it, Google realized it even before creation of Facebook. I think google started knowing that they need to collect the data to build their project where Facebook started just to have fun but once they became big and needed funding then they realized the data they had were their assets.

Anyway, I think we are moving to off-topic.
Let's see how it effects to CMC users and the community. I already received two emails from random source. Usually I just delete them.

If you really care about security while on the internet then make sure you sign up with a different email on each platform you want to visit. I use different emails for forum account, trading account and other platform account. This is just a suggestion, but it might be useful.

The failure of a platform in terms of securing the database is actually not our fault, they actually have to be responsible for their customer data but users are advised to consider all the risks that arise on the internet and one of them is hacking. So self-safe, account-safe, asset-safe because of that is very important.

The issue of the coinmarketcap leaked email explain the reason why I am getting some weird mail lately below is the screenshot but I don't know if you guys notice that almost every platform owned by Cz is having a problem these days one way or the other cause  binance.com was said to have large backlog issue today (https://twitter.com/binance/status/1455137004333711364?s=20).

If you read the comment chain you can see I was talking about "haveibeenpwned" website and their database. Users don't log into that site, they just search their email to see if it were leaked (pawned). And the discussion was about haveibeenpwned database being "pawned" itself which I said it could be prevented by only storing and requiring hashes to search.

haveibeenpwned gets their information from various leaks of data. When haveibeenpwned says that a password was leaked, it means they were able to find a leak that contains a password. If haveibeenpwned is able to locate a list of stolen information, it means that someone else can also locate the same information if they know where to look. Someone hacking the haveibeenpwned database would largely be pointless because the information is already public.

CMC's obligations regarding their customers' data can be found in their privacy policy (https://coinmarketcap.com/privacy/). If someone does not like the terms of their privacy policy, they can ask CMC to change the term they do not like, however until and unless CMC changes the policy, the policy as currently as written lays out their obligations.

I am also not sure there is sufficient evidence to suggest that the leaked images came from Binance or any of their vendors. Binance says that it adds a digital watermark to images it receives for KYC purposes, and the leaked images do not contain that watermark. Binance also said at the time that many of the images in question do not match the images they received from any customer.

I would also note that the alleged hacker was asking for over a million dollars from binance before releasing the images, and would not tell binance how they were able to allegedly steal the images from their systems.

The above fact pattern does not say with certainty that the images came from binance/one of their vendors. It also opens the possibility the "hacker" obtained the images via means unrelated to binance.

All the selfies (which you can find examples of online if you want to go looking for them) were of users holding up pieces of paper with "Binance" written on them alongside their ID. There is no reason that any company other than Binance or their third party partners would have thousands of such pictures. And regardless, Binance admitted the data came from a third party that they sent users' KYC data to, they contacted all the users in questions to tell them about the hack, and they gave them all free lifetime VIP memberships. So yes, it was Binance's fault despite their initial statement that nothing had been "obtained from Binance".

This statement in this case about nothing being leaked from "their own servers" is exactly the same. Binance are neither honest nor trustworthy when it comes to security of data.

Damn! A bit late but it is better late than never.

Thanks for the warning dkbit98. Unlike what happens with most crypto- services and products, there is a big consensus among us to use CMC occasionally and, since they are now part of Binance, even a little percentage of that users logging in there supposes a huge exposure. I can't remember now whether I signed in there ever, but I will have to check it up because I don't want to be one of the 3 million addresses without knowing it.