[Warning] 3Commas API keys leaked!

[OmegaStarScream]

If you have any of your exchange's API keys linked to their platform, disable or delete them because it appears they have been leaked and published online[1][2][3] (still to be confirmed).

This comes days after a group of traders reported losing funds[4].

[1] https://twitter.com/tier10k/status/1608186096411725826
[2] https://twitter.com/cz_binance/status/1608182790540902407
[3] https://www.coindesk.com/tech/2022/12/28/anonymous-twitter-user-leaks-alleged-3commas-api-database/
[3] https://twitter.com/zachxbt/status/1605235174970916864/photo/1

[Rikafip]

3Commas just confirmed via Twitter that that API keys indeed leaked. Here's the link to the Twitter thread https://twitter.com/3commas_io/status/1608226169400315904?t=gFBokhA9H62KG0z3EMofzg&s=19

[DaveF]

Not your keys not your coins. Give your API keys out and loose your coins. Seems about right.

But, it's yet another reason not to keep your funds on an exchange. And if for some reason you have to then never ever give anyone else access to it.

API keys sounds so technical and nice. Give us your username & password and use our phone number for your SMS 2FA just does not sound as good and technical.

-Dave

[PX-Z]

All this kind of hack especially for API leak is mostly an inside job, these companies should taken actions on how to prevent any employee have a directly access to these list or the confidential systems/records
And 3commas should take responsibility those users who have been stolen, since it's primarily their fault, in which they blame their users at first.

[DaveF]

Been reading more and more on this, a lot of details are still a bit contradictory. But, it does look like an interesting ripoff / human view kind of thing.

The accounts were targeted a bit at random. They did not go after the 'high value' targets or the most active or anything like that. Those things would just scream hack / data leak.

They went after a bunch of random accounts (and a few big ones) which just. makes it look like something else. If you have access to 100 accounts and only go after 1 in the top 10 and 3 in the top 25 it makes it look a lot less obvious then going after the top 10 and running with the funds

Still, 3Commas should have been more proactive and people should not be using exchanges though other places with API keys. I'm truly impressed that it took this long for something like this to happen.

-Dave

[joniboini]

All this kind of hack especially for API leak is mostly an inside job, these companies should taken actions on how to prevent any employee have a directly access to these list or the confidential systems/records

According to their latest Tweet, it does not seem like an inside job after they did their investigation. But it is unclear if the lack of evidence is the result of no inside job or simply a good job from the cracker to clean their history. Not really a good look at their image after they told their users that they got phished.

Since then they have posted an update here: https://3commas.io/blog/notice-on-api-data-disclosure-incident. Suggesting their users request new keys is definitely not enough to get back the confidence that the API keys are safe since they still can't be sure if the hacker left something and will just leak the new keys. Might as well stop using them for the time being.

[Yogee]

....
Might as well stop using them for the time being.

Just stop using them forever.

They will be sued for sure and that will take a lot of their resources. They will likely lose and settle for millions of dollars to refund all affected users so they may as well stop their operation at that point. Nobody will ever trust them after lying for so long and keep putting the blame on users.

[Husires]

There is something strange that I did not understand in this article. https://3commas.io/blog/notice-on-api-data-disclosure-incident

3Commas recently became aware that some of 3Commas’s users API data (API keys, secrets and passphrases) have been disclosed by a third party.

Is this an appropriate way to describe hacking in similar cases? Or is it closer to what happened with Facebook and Cambridge Analytica, where the company gave the data to a third party, and that third party sold the data.

They denied the possibility that what happened was from an insider but they did not deny the hypothesis that third parties did it.
If this is true, creating new keys will not change anything.

[Rikafip]

According to their latest Tweet, it does not seem like an inside job after they did their investigation. But it is unclear if the lack of evidence is the result of no inside job or simply a good job from the cracker to clean their history. Not really a good look at their image after they told their users that they got phished.

Of course they won't admit that its been an inside job, no one expected anything else from them. Not that is anyone believing them, especially since people warned them about losing money and instead taking those warnings seriously, they instead shifted blame to users and exchanges.

[PX-Z]

According to their latest Tweet, it does not seem like an inside job after they did their investigation. But it is unclear if the lack of evidence is the result of no inside job or simply a good job from the cracker to clean their history. Not really a good look at their image after they told their users that they got phished.

I still doubt its the case, no company will admit that it's one of them, it's mentioned in the article that a third party disclosed/leak the APIs, so what's the third party to be exact? They are now redirecting blames to others instead of being sorry and claim the responsibility and refund their users. Well, its the same ceo who immediately blamed their users for being phished and hacked after reporting the case to them.

[DaveF]

According to their latest Tweet, it does not seem like an inside job after they did their investigation. But it is unclear if the lack of evidence is the result of no inside job or simply a good job from the cracker to clean their history. Not really a good look at their image after they told their users that they got phished.

I still doubt its the case, no company will admit that it's one of them, it's mentioned in the article that a third party disclosed/leak the APIs, so what's the third party to be exact? They are now redirecting blames to others instead of being sorry and claim the responsibility and refund their users. Well, its the same ceo who immediately blamed their users for being phished and hacked after reporting the case to them.

I'll give them that they might not be able to say due to legal issues. Even big places like Gemini did not say who leaked some data from their mailing lists just that it was leaked.
Massive liability issue. If *I know* that I did not leak it but, the only other person who had access was you still saying you did it is dangerous because if it was NOT leaked by you but rather by an undetected hack, or outright theft or..... There could actually be more backlash if they say "A" did it and they were wrong then just saying 'someone else'

I still don't believe it, but I can see the logic behind it.

-Dave