Coinmarketcap hack leaked 3.1 million emails!

[dkbit98]

If you have account at Coinmarketcap (that is owned by Binance exchange btw) you should think about changing email address and use new unique password, because of the hack that happened on October 12 that leaked 3,117,548 email addresses!
Consider that email address you used for CMC account is now compromised, don't be surprised if you start to receive some spam and scam emails, so you should not use it anymore.

Coinmarketcap confirmed that hack happened and today they released blog post claiming that there was no password exploits, but only email addresses and they still don't know exact cause of the hack.
https://coinmarketcap.com/alexandria/article/good-security-habits

Report from haveibeenpwned website:

During October 2021, 3.1 million email addresses with accounts on the cryptocurrency market capitalisation website CoinMarketCap were discovered being traded on hacking forums. Whilst the email addresses were found to correlate with CoinMarketCap accounts, it's unclear precisely how they were obtained. CoinMarketCap has provided the following statement on the data: "CoinMarketCap has become aware that batches of data have shown up online purporting to be a list of user accounts. While the data lists we have seen are only email addresses (no passwords), we have found a correlation with our subscriber base. We have not found any evidence of a data leak from our own servers — we are actively investigating this issue and will update our subscribers as soon as we have any new information."

Breach date: 12 October 2021
Date added to HIBP: 22 October 2021
Compromised accounts: 3,117,548
Compromised data: Email addresses

https://haveibeenpwned.com/PwnedWebsites#CoinMarketCap

[Oshosondy]

I have a way to create an email without my real name or phone number included, or to use proton mail which is not centralised like others. But about Coinmarketcap, I have nothing doing on the site than to check price, I do not have portfolio on the site because I did not want to register even with email, but the site is still accessible without email but many people do not know about this because it will bring up email for login after the app is opened, but can be bypassed. I use it without email, only that I will not be able to track coins and have portfolios which I do not have agenda of having.

[cryptoaddictchie]

I've seen this announcement and luckily I don't use any email for using coinmarketcap instead only using their portfolio version for free without any need of logging in.

I think users must rush changing their details as this could lead to many spams that users might clicked on and become victim of scams links. Thanks for sharing this here OP.

[decodx]

If you have account at Coinmarketcap (that is owned by Binance exchange btw) you should think about changing email address and use new unique password, because of the hack that happened on October 12 that leaked 3,117,548 email addresses!
Consider that email address you used for CMC account is now compromised, don't be surprised if you start to receive some spam and scam emails, so you should not use it anymore.

I can confirm this. My email address was also compromised in the CMC leak. Luckily, I used an email address that has already been pwned in 22 other data breaches so I have no reason to worry. Spam is part of our daily lives. 

Weird they don't know how the hack occurred (or don't want to say).

[lotfiuser]

they said only emails without password im sub to haveibeenpwned and i received the mail today

[o_e_l_e_o]

Another day, another centralized service leaking user information across the internet. Owned by Binance, have no idea how their database was accessed, and unable to confirm or deny if other information was also accessed. Really fills you with confidence!

I suspect we will see scam emails along the lines of "Free airdrops", "Early access NFTs", or other fake promotions from CMC, redirecting users to a site where they need to enter their seed phrase to receive the giveaway. That's the usual process.

[lovesmayfamilis]

they said only emails without password im sub to haveibeenpwned and i received the mail today

Nevertheless, email addresses are already being actively sold on hacker forums. And the most "bored" hackers may be interested in turning on their brute force for password collection. And as a result, the further fate of the hacked mail can be completely unhappy.
You don't need to be a boring teacher who constantly insists that for your own safety, it is better to always create a separate mail for different needs, And this rule is confirmed for the hundredth time.

[Luffygroove]

God, the world (either the real world or the digital world) is not a safe place to live in as long as evil and greedy people still exist. I can confirm that my email was compromised with the CMC leaked. I've already changed the password and all but I can't throw it cause I still need to use it. However, I will be super extra cautious about emails coming and should warn myself not to open them recklessly. It's really frustrating but it's the fact that we should face in our daily life now.

[AdolfinWolf]

This database is actually a goldmine for people who know how to exploit it correctly. Imagine having access to 3.1 million email addresses from people who will sign up for any and every dollar they can get. I reckon a good portion of them will click on whatever you feed them.

God, the world (either the real world or the digital world) is not a safe place to live in as long as evil and greedy people still exist. I can confirm that my email was compromised with the CMC leaked. I've already changed the password and all but I can't throw it cause I still need to use it. However, I will be super extra cautious about emails coming and should warn myself not to open them recklessly. It's really frustrating but it's the fact that we should face in our daily life now.

Should've either used a throw-away when signing up for garbage or used an alias for your main email. Also how exactly is your email compromised? As long as you didn't reuse passwords and your password wasn't super-specific I doubt this will lead to anything. Also that first sentence, ironic?

Nevertheless, email addresses are already being actively sold on hacker forums. And the most "bored" hackers may be interested in turning on their brute force for password collection. And as a result, the further fate of the hacked mail can be completely unhappy.

If you used the same password for your email and CMC account and the password is in a common wordlist to compare the hashes to, else i wouldn't worry too much about that particular issue. Spam is probably going to be your main groove.

[SquirrelJulietGarden]

If you have account at Coinmarketcap (that is owned by Binance exchange btw) you should think about changing email address and use new unique password, because of the hack that happened on October 12 that leaked 3,117,548 email addresses!

How do Binance let a website that is owned and operated by them was hacked like this. It destroys their reputation in this industry.

Binance has hack in the past. Hackers steal over $40 million worth of bitcoin from one of the world’s largest cryptocurrency exchanges and they had KYC leak too

Consider that email address you used for CMC account is now compromised, don't be surprised if you start to receive some spam and scam emails, so you should not use it anymore.

I use one email to register for newsletter and things are not related to my accounts on crypto exchanges.
[Guide] How to know if your email address was part of any data breach. If you ar curious and want to check your email with Haveibeenpwned.com

[o_e_l_e_o]

This database is actually a goldmine for people who know how to exploit it correctly. Imagine having access to 3.1 million email addresses from people who will sign up for any and every dollar they can get. I reckon a good portion of them will click on whatever you feed them.

They also have 3.1 million email addresses of people who are definitely involved in crypto, and almost all of which will have a couple of exchange accounts using the same email address. Now they cross reference those email addresses against database leaks from other services in which passwords were also leaked, and start trying to break in to these emails since far too many people reuse passwords across several (or even all) of their accounts.

How do Binance let a website that is owned and operated by them was hacked like this. It destroys their reputation in this industry.

Binance has hack in the past.

You answered your own question. Most people either won't even know their details have been hacked, or are too clueless to care. Binance have been hacked multiple times in the past as you point out, and yet people continue to flock to them.

[aoluain]

This database is actually a goldmine for people who know how to exploit it correctly. Imagine having access to 3.1 million email addresses from people who will sign up for any and every dollar they can get. I reckon a good portion of them will click on whatever you feed them.

They also have 3.1 million email addresses of people who are definitely involved in crypto, and almost all of which will have a couple of exchange accounts using the same email address. Now they cross reference those email addresses against database leaks from other services in which passwords were also leaked, and start trying to break in to these emails since far too many people reuse passwords across several (or even all) of their accounts.

How do Binance let a website that is owned and operated by them was hacked like this. It destroys their reputation in this industry.

Binance has hack in the past.

You answered your own question. Most people either won't even know their details have been hacked, or are too clueless to care. Binance have been hacked multiple times in the past as you point out, and yet people continue to flock to them.

Thats exactly it and something people dont realise, it might just be a email address but its
another piece of the jigsaw to enable hackers to access more and more of our personal
information and/or online accounts.

Thankfully I dont have a CMC account but I have all my other online crypto accounts changed
to a useless gmail account which I can delete/ignore in future.

[SquirrelJulietGarden]

You answered your own question. Most people either won't even know their details have been hacked, or are too clueless to care. Binance have been hacked multiple times in the past as you point out, and yet people continue to flock to them.

Maybe they believe that Binance will compensate for users if their exchange is hacked. They did it in the past but it is not guarantee that they will do it in the future.

People flock to Binance because the exchange has big trading volume and people can easily to finish their trade. Many coins get good rises after listing on Binance and it can be one of other reasons people flock to Binance.

[o_e_l_e_o]

Maybe they believe that Binance will compensate for users if their exchange is hacked. They did it in the past but it is not guarantee that they will do it in the future.

Compensating people for coins which are lost is one thing. Compensating people for information which is stolen is impossible. Are Binance going to pay your legal fees when you have to defend yourself in court for insurance fraud you didn't commit because someone stole your identity? Are Binance going to pay your bank for the $50,000 in loans someone else took out against your name? Are Binance going make things right when you are turned down for a mortgage or a car because your credit score is shot because of a bunch of credit cards you never opened? I don't think so.

We have seen time and again that being large, reputable, well known, having large numbers of customers, having large trading volumes, having a wide selection of coins, etc., all means next to nothing when it comes to security. Pretty much every large exchange has leaked or sold customer data on more than one occasion. The only safe KYC is no KYC at all, and yet most people are more than happy to send all the information needed to steal their identity to a variety of complete strangers.

[sheenshane]

they said only emails without password im sub to haveibeenpwned and i received the mail today

Upon reading this thread I quickly checked my email account and it seems I didn't receive any, can you quote it here what you've received or how to determine that your email account associated with Coinmarketcap has been leaked or compromised?

In their Twitter account, there's no leak to their server as they said.

"You may have seen some information online about CoinMarketCap emails — we want to assure our users that there has been no leak from our own servers."

There's no really safe on the internet and everything is vulnerable to hacking, it's a good thing they announced that they didn't have been hacked.
A little bit worried because I used my email here in Bitcointalk that linked to Coinmarketcap and I think it needs to change.

[CryptocurencyKing]

You answered your own question. Most people either won't even know their details have been hacked, or are too clueless to care. Binance have been hacked multiple times in the past as you point out, and yet people continue to flock to them.

Maybe they believe that Binance will compensate for users if their exchange is hacked. They did it in the past but it is not guarantee that they will do it in the future.

People flock to Binance because the exchange has big trading volume and people can easily to finish their trade. Many coins get good rises after listing on Binance and it can be one of other reasons people flock to Binance.

Well, Binance seems to occupy the number one spot on ranking of exchanges and these comes with some sentiments of being best and most secured even though, they might have been hacked a few times. The position they occupy seems to inspire some level of trust amongst users and the possible refund of stolen coins is another addition.

Though, this doesn't apply to stolen information  or privacy details and like o_e_l_e_o stated, a lot could be donne with your stolen information not excluding taking of loans and defrauding people. Even if the leak has it's origin from Binance or coinmarketcap leak, it cannot be proved conclusively and as such, the company won't take responsibility for damages cost.

[CryptopreneurBrainboss]

Well, Binance seems to occupy the number one spot on ranking of exchanges and these comes with some sentiments of being best and most secured even

Yes right after buying the ranking sites and who knows what others projects they have taken ownership of. If I'm not mistaking Binance wasn't on the top of the list when it comes to exchanges before they acquired Coinmarketcap. I'm not trying to take anything away from the progress of the exchange but just know when you control the system, you can't be 100% trusted. They'll do anything to keep the trust of the community including lieing to their customers.

Binance owns Coinmarketcap and due to the airdrops and other promotions ongoing, individual probably have email linked between both platform. I remember seeing an airdrop ones on the site (coinmarketcap) that caught my interest and when I tried registering I was asked for my Binance ID which also means this information could also be compromised but they won't disclosed that. They'll always want you to believe your information and funds are safe with them but they aren't.

[robelneo]

I'm not using Coinmarketcap and I don't have an account here but I do have an account on Coingecko, but this is a warning for me to change my
email on Coingecko if they can do it on Coinmarketcap they can do it to other market aggregators, this is a big blow for Binance they are running the Coinmarketcap site and people trust them for their security set up, let's see now if they can catch these hackers.

[tranthidung]

A little bit worried because I used my email here in Bitcointalk that linked to Coinmarketcap and I think it needs to change.

Please make sure you stake your message for your account in Stake your Bitcoin address here. It is as same as with email, to be safe, just in case, you should use an empty wallet with a single address that is used for staking.

About email, I agreed with @Lucius and I recommended too, use different emails for different use cases. If you one email for all purposes, it is too risky.

I'm not using Coinmarketcap and I don't have an account here but I do have an account on Coingecko, but this is a warning for me to change my
email on Coingecko if they can do it on Coinmarketcap they can do it to other market aggregators, this is a big blow for Binance they are running the Coinmarketcap site and people trust them for their security set up, let's see now if they can catch these hackers.

As said, use an important email for registration on any website you want AND make sure you use a different password for different email too.

Don't send back and forth emails between yours because it will create connections between your emails.

[crwth]

Just a crazy thought upon reading this thread. What if the haveibeenpwned database has been pwned as well? Subscriber-based type sites are always prone to hacking.

Anyway, it's crazy that a lot of hackers are finding ways to get information from certain websites. Imagine how much more could they do if they can get it from CMC. What else right? It's just a matter of time that there are more breaches to even more famous sites.


I have a question about what you should do on an important email. Like it's not replaceable. If this is the route you are going to take, I think you should just be careful on emails, right?