Bitcoin Forum

We have news regarding Binance exchange and leaked KYC
https://thehackernews.com/2019/08/binance-kyc-data-leak.html


Binance responded:
https://www.binance.com/en/blog/365766157488967680/Statement-on-False-KYC-Leak

Hackers wanted 300 BTC from Binance

What do you think?
I personally do not trust any exchange including Binance,
and I do not like KYC, for this reason among others....

Not a meta topic.

Also same topic has been posted several times today.

Binance KYC Data Leak - Allegedly: https://bitcointalk.org/index.php?topic=5173312.0
Binance hacked again 10k+ KYC (FACEBOOK 2.0 LEAKAGE): https://bitcointalk.org/index.php?topic=5173226.0
[2019-08-07] Binance Has Denied Information About Users Data Leak: https://bitcointalk.org/index.php?topic=5173197.0

But you can also move the topic... You don't have to wait for the mods.

True. I will.
I was not sure where to post in anywhere...

@dkbit98 Service Discussion -> Exchanges would be most appropriate.

Of course, who would trust anyone in crypto space? Binance says it's 2018, wherein they hire some 3rd party to help them with the huge amount of users that time in their trading platform. So it's possible that it was not a hack but a data leaked by the 3rd party. So let's see how it goes.

Apparently the hack/leak took place in January/February 2019, so it's not old. The public is only just learning about it now. Be careful of any telegram groups that ask you for your info so they can verify if your info has been hacked, and don't click on any links they give you because that'll be the real hack.

More update:

https://www.coindesk.com/a-bitcoin-extortion-gone-wrong-inside-binances-negotiations-with-its-kyc-hacker

300btc is much because the hacker only stole kyc data and I will say it is possible to block the hacker without causing much damage! This is the reason why people and cryptocurrency enthusiast are promoting " privacy" KYC is against the ideas of bitcoin and other coins and it is good to all of these popular exchange to keep KYC aside and allow people to trade anonymously.

I don't know who to believe if its Binance or Bnatov who's telling the truth.

While Binance puts the blame to a third party company. I will learn and know more about this hot issue.

I think these experiences are unnecessary. They should be trusted

Cant really trust exchanges. SMH

What I dont understand is that why would they offer a reward in identifying the culprit? I mean they said its only fud right?! I feel like they are just lighting a fire in their own mess. Why would they even bother to give such reward? Just doesnt make sense to me at all. I just remember the hack that happened to them last 3 months I think. They say that they are safe as an exchange and yet all these "accusations" are just so ominous.

They are BIG lairs and I don't trust them at all.
KYC is 'SAFU'...

I dont like KYC system either... but its not up to me to decide. So whethever I want to use or not I have to.

Users that cant accept the fact that binance isnt that secure, will say it isn't true. Nothing is secured after all lols

Means you don’t trust exchanges?where did you buy ur coins?Or haven’t you holding any?binance is a good exchange for me though the KYC thing made me bother though almost all of them are asking for KYC now so there’s no chance that you ca invest in cryptocurrency or even do trading(not unless you are going to p2p in which more expensive)

Never forget that all hackers are more genius than what we can expect so fo them nothing is impossible,even how secure a exchange but the chance of being a victim isn’t always there
Lucky that my exchangers didn’t got hacked while my assets are in their possessions

I did not buy then on Binance for sure... and that is private information :)


What defines 'GOOD' Binance exchange quiz?

1. They have been hacked and lost crypto multiple times.  ✔️
2. They leaked users KYC and kept quiet about it ✔️
3. They block users from many countries to access it ✔️
4. They charge hundreds of Bitcoins to list new shitcoins ✔️
5. They can switch you off whenever they want in their 'DEX' exchange ✔️


...

Almost the same was with Huobi exchange:

https://www.theblockcrypto.com/2019/08/15/this-issue-is-different-huobi-responds-to-user-phone-number-leak-following-binance-kyc-hack/

And similar story with Coinbase exchange:

https://blog.coinbase.com/post-mortem-a-closer-look-at-a-password-storage-issue-affecting-3-420-customers-e23cfc8a0363

People should move in coming months to decentralized exchange. DEX cross-exchanges - future  ::)

Yep, centralization is taking over everything crypto-related, when we wanted crypto to be the safe space for decentralization to advance forward.

It's very disappointing hearing all of these centralised exchanges being hacked when people have been warned for years that using centralized exchanges and putting your information on the internet is not a good idea. Sure, the exchanges have fault here for having hackable systems, but the people who trust the service also are at fault.

I'd love to see more DEX's flourish in the scene, but the regulations that are forcing all of those exchanges to add KYC, etc is really not helping.

We might have a future where DEX's are regarded as illegal, and we need to use Tor and VPN's to access them, which is horrible.

Binance can fabricate a story of their own, it's their business at risk here so they'll have to come up with a good explanation that will make traders not to panic and withdraw their funds. Until I hear some report coming from an independent investigator that has a good reputation, I would not believe any story that would come out.

I have just actually opened an account with Binance. I was never a fan of the exchange even if it is one of the most hyped exchange nowadays. But since the volume is there and there's a 2-BTC daily withdrawal limit for an unverified account, I suddenly became one of the users. But I was extremely disappointed when months ago there was a successful hack which took away $40 million. But then it was not enough, I was more surprised when it was then followed by this KYC information hacking incident.

Although it didn't come to my mind that all these incidents are partly inside jobs, I wonder why Binance appears so exposed to these security attacks. A giant exchange with a 24-hour volume reaching almost a billion USD getting successful successive security attacks? Where did the income go? Are they not investing a significant portion of their income for security protection? They can pay a lot of shills to provide hype to their brand but they cannot shell out money for their own protection?

A truly independent third party investigator should make an honest-to-goodness audit report, and not just a garbage report that is done with a price just to pacify the traders.     

 

Im just glad that I did not went for a KYC in the previous exchanges that I've used. I move out from bitmex moved to Binance but when they decided to make their KYc policy such as the poloniex.

I can probably say that at first the binance management is really trying to be honest with us because they were known for being public if anything bad happens to their system. Tho, when they certainly lose their control with the multiple hacking issue they started to getting more private. Maybe to protect their image which is completely understandable. I think the main issue here is their systems capability shouldn't be trusted.  For me they are still one of the few whom you can somehow trust if they can improve their securities

Those alleged "white hackers" are completely arrogant in my opinion. Hacking for their personal goal isn't considered as white hacking at all cause if they do. They did not get the personal info and use it to gain money. They can somehow earn it by providing the said exchanger the solution with their price that is probably more ethical

This is the problem with majority of the big exchanges, they spend their effort and resource for more advertisement and branding but they will not take good care of their security, when ever there is a hack the owner comes up with his regular tweets that it is safe and nothing to worry, people will move out and find new platforms if they do not care about customers and their privacy and security, Poloniex was once a big exchange and a couple of years back they started having all the issues of coins getting delayed even after depositing and it takes three weeks to get a response from the customer support and they lost many customers and that will happen to Binance too.

Them denying it and saying it hasn't happened isn't illegal, or bad really. It's them trying to save their business, and it's much easier and possibly better than saying they've leaked thousands of customer's KYC information.

I don't think this is all their fault, no doubt they have tried to make their exchange as secure as possible, and they have probably spent millions on security, tests, etc.

All centralized exchanges will fall to hackers, it just depends on time. Hackers are getting really good, and possibly even better then exchange's security, and they'll always find a way. This is why DEX's are the only real way to trade successfully, but due to rules and regulations, it's making it very hard to advance DEXs.

Poloniex was bought by Circle (https://techcrunch.com/2018/02/26/circle-acquires-cryptocurrency-exchange-poloniex/) and turns into a heavily centralized exchange thats why users left out this exchange in air and rankings goes down.The difference between Polo and Binance is clear thats why they do able to retain their top position in spite of the issues.

Providing your personal info is always a risk as they are stored somewhere and are within reach of some people.
Every of major exchanges are combating probable hacks everyday and noone can be future proof for every attacks. It's about mitigating the effect and being ready for the future.
Hacking is always a competition between black hat and white hat developers. And there's never a definite winner.

Eh, it could have happened to any exchange.  Hell, even big corporations like Target have gotten hacked and have had their customers' information leaked all over the place.  As far as trusting Binance, I'd say they're one of the more trustworthy exchanges out there, regardless of them getting hacked.  Yes, it would be nice if they'd beef up their security so such a thing wouldn't happen....but we all know it does happen and will continue to happen.

I'm not a fan of KYC either, but if an exchange wants to be legitimate they have to conform their practices to government regulations.  I don't think any exchange wants to require KYC procedures.  They have to if they want to be able to offer fiat services to their customers.  Can't blame Binance for that.

Agreed.  Hackers are gonna hack, and they're getting better at doing it.

Hackers will try their best to hack anything but what about having a trigger warning when something is fishy, just look at their withdrawals (https://www.blockchain.com/btc/tx/e8b406091959700dbffcff30a60b190133721e5c39e89bb5fe23c5a554ab05ea) 7000BTC being withdrawn at once to multiple accounts a all are huge amounts and their so called security system implemented did not identify something fishy is going on.

Look at their official statement, this is the binance official statement about the hack


They are clearly saying that their security measures had loop holes, because if there is an opportune time to bypass their security then what security measure they are talking about  ::).

After executing the withdrawal their alarms got triggered so that further withdrawals are halted, which shows that their security measures were of no good. Security measures are meant to stop anything from happening and not to get a trigger warning after the incident. Hackers will prey on these loop holes and it is not they are getting smarter by the day, all black hat look for is their pattern and find the flaws and take advantage of it and binance had many and they fell for that.

It was not because of the take over, their issues started in late 2016 and early 2017 and none of the coins i deposited was credited and it took three weeks to get a resolution and i am sure many people had that difficulty and i stopped using them after those delays and their worst customer support to get a resolution.

I have no respect for anyone who blame someone else instead themself , the fact that binance did it .. the trust rank in my eye decreased although until now I still using their services , I might limiting myself to use them in the future and take what happened as a lesson that nothing is safe no matter how huge the company and how high the security measure they claimed.

People come to crypto due it's free from KYC few years ago  but now it seems things has changed , everything need KYC and we know it's sucks for privacy reasons.

There will always be loopholes but if someone is trying to reach you out about it and help you to fix such issues and avoid breaches then I think paying them out for such is not so bad since it will fix that issue and avoid it from happening again later on.

I think they should focus on fixing this asap rather than to find someone to blame.

I think that will also help the helper know the loopholes and try to attack the exchange themselves once they are in need of money again in future because they are securing it and they will know the gaps that they can use to hack these databases again and in future, ask again for some ransom. While we cannot trust even developers of projects to come and join our project to help us out in security issues, it is not a better option to go outside unless you trust them more than your current team.

It seems that binance is trying to compensate the leak hack victims by giving them a lifetime VIP membership in their platform rather than paying the so called white hackers.
I personally don't think that it is not enough because it will still be binance that can benefit from the said conversion.

I personally think that they are not blaming the third party for no solid evidences. Based on their investigation the said publicized photos has no watermarks that will indicate its reliability.

Here is an official binance statement for full info.

https://www.binance.com/en/blog/371631019142385664/Update--Action-Response-ThirdParty-Vendor-KYC-Matter

Binance tries to settle it in a smoothly cunning way. Although they are already offering VIP membership to the thousands of victims, which to me is already a subtle way of accepting the responsibility over what happened, they are still short of explicitly admitting that there was indeed a successful KYC hack on their system. CZ has initially labelled it as "FUD" and then they are now releasing a statement that no single leaked image bears the concealed digital watermark which Binance's KYC images have.

I think the hackers are not white hackers. They are not there to help Binance boost their security system. Neither are they simply trying to test the protection that Binance has. They are obviously black hat hackers, extorting money from their victims, in the case of Binance 300 BTC. 

I am not sure about that because I don't follow the news, but I am sure that binance will handle it with care and they will solve the problem. I think that the leak is happening on every website, but if the site really cares with their members, they will protect the data, and they will secure their website from the hacker. Let binance do whatever they think it's necessary, and if we don't want to complete KYC, then we don't have to do that, and if you don't trust the exchanges, you need to find out the other way to buy and sell the crypto coins.

If those images arent reliable then there would be no victim or such document leak? Then why they do offer such lifetime vip membership to those victims?
Which means there's indeed a hack happened.Thank you for the link provided because ive been following this earlier but in the end i do forgot to get the updates
about this kyc hack.Binance did really did make a good job on handling thing but somehow this situation already put up some stain into its reputation.
We can really conclude that theres nothing on this world can be considered as safe and as said earlier there would be always a loophole.

Binance has already admitted that those photos were collected for the verification of Binance accounts. According to their statement, they used a third party for a period of time which could be responsible to the leaks as binance stamps all it's verification documents. But it's still hard to believe this alibi as they denied the claims at first and now are offering life time VIP membership to the victims.

In other words, Binance is not facing this squarely. Their approach is a combination of a little circumventing the clients, a little of shirking full responsibility and somehow admitting it at the same time, and a little of damage control. They are like saying "yes, it is our fault" and also "but not really" at the same time. But their strategy appears working pretty well. There is no significant backlash of supporters. They have maintained much of their nice image as far as my observation is concerned. They were able to retain much of their solid clients most probably.

Not sure if this twitter handle was posted before, but you can follow the hacker here: https://twitter.com/BnatovP


From what I've read, seems like the hacker was semi-reasonable, yet binance wasn't willing to play ball.

That guy seems to be gaining followers, maybe I'll start following him also to see if my name is leaked in his tweet, but the way info is posted, it seems like he has more data to show publicly.

How do you think Binance suppose to play with the hacker? Is it right that Binance will just pay the hacker? I think that would not solve the problem, though this is just a piece of information and no money involve, Binance reputation are well affected here, those who sees there names displayed will surely not gonna use the service again.

True, it is a tricky issue and there is no prescribed way to deal with this type of situation. Every situation is unique and demands different.

This reminds me of the data leak from the largest telco in India some years ago - https://www.livemint.com/Industry/ucK2SJDM4Ws8k36ovZVj6H/Reliance-Jio-customer-data-allegedly-compromised-report.html

They didn't play ball, so the hacker just sold it on the dark web.  A small bump in the road for Jio who's reputation for being unscrupulous faaar exceeds any comparatively miniscule reputational damage done by this leak. Today, they have put most other telco's in India out of business.

Binance is getting too big for its own good. Now with their margin and lending products they are making themselves even big of a target and on top of that they are not even catering to their most well paying customers. Us Americans. So if you ask me if the KYC leak was a hack or not? I don't know. But I sure as hell would not like to be one of the victims resulting from such a leak.

But seriously a lifetime VIP? is it really a good compensation over security? They really are not and it seems that the frontline is only involving one person which is consistently posting new Leaked data that he have.

It seems that they are not planning to settle it out until Binance will give them what they want (I am however very skeptical about it)

Why the hell would anyone want to be VIP member of the site that can't handle it's regular members securely?!?! ???

We are an exchange ourselves, and we think exchanges shall never collect KYC info from customers because, hey guys, let's face the uncomfortable reality:

We, as small-to-medium size businesses ( let's admit it guys, even the largest exchanges shall be considered mid-size business by real world standard), are not as sound as government agencies in terms of cyber security and the short history of crypto we have lived through has already proven this point hundreds of times. And, if a hack does occur, we don't have the kind of resources nor the legal authority to track down and arrest hackers and retrieve the lost KYC info.

Collecting KYC info jeopardizes our customers' privacy, and also infringes the original spirits of cryptocurrency. That's why we as a team decide we will never make KYC requirements. Period.

Sadly, some government agencies are making these inconsiderate requests that equally jeopardize their citizens' privacy.