Coinmarketcap hack leaked 3.1 million emails!

[pooya87]

Weird they don't know how the hack occurred (or don't want to say).

Maybe they sold their database to the highest bidders. It certainly wouldn't be the first time someone does this
Either way I'm not sure whether to laugh or cry that there are still people who give their main email address to a website that doesn't need it since its whole purpose is to provide "data" which they don't even do that properly either.

[1715195708]

1715195708

[Beparanf]

I received some random main on my email address that I used on coinmarketcap, The email used is a fresh email that I dedicate when I create account there. I'm receiving email with Russian text that has an attached file and there's a word of Bitcoin on text. I think this is the issue on that spam mail, Glad I didn't open any of it and until now, I'm still receiving email from different mail with same content daily.

I will try to post screenshot here later today once I get to my pc.

[o_e_l_e_o]

Yes right after buying the ranking sites and who knows what others projects they have taken ownership of.

Exactly. The sites which they own rank themselves as number one. What a surprise! Which exchange is the number one for privacy? Not Binance. What about security of your coins? Also not Binance. Security of your data? Definitely not Binance.

I have a question about what you should do on an important email. Like it's not replaceable. If this is the route you are going to take, I think you should just be careful on emails, right?

All email accounts are replaceable. What service have you signed up for which doesn't let you replace your email account?

If you have an email account which you really feel is not replaceable, then don't use it for anything else except the bare minimum you must use it for and don't share it with anyone or any service unnecessarily in order to keep it clean and spam-free. Create additional email addresses for everything else.

[crwth]

All email accounts are replaceable. What service have you signed up for which doesn't let you replace your email account?

I just assumed that you cannot change the email on some services but not explored all. My email being used in some bank accounts was compromised a long time ago, and I'm thinking of changing it. I kept on receiving those phishing and scam emails with all the google docs and stuff and it is irritating.

If you have an email account which you really feel is not replaceable, then don't use it for anything else except the bare minimum you must use it for and don't share it with anyone or any service unnecessarily in order to keep it clean and spam-free. Create additional email addresses for everything else.

I'm actually planning to do it. How do you deal with multiple emails? Like is it applicable with proton mail? Proton email is a good email service right?

[o_e_l_e_o]

I just assumed that you cannot change the email on some services but not explored all.

Emails can be hacked and compromised. All services should allow you to change your registered email address for safety reasons.

I'm actually planning to do it. How do you deal with multiple emails? Like is it applicable with proton mail? Proton email is a good email service right?

I like ProtonMail, and they certainly have a good reputation for privacy, but you should be aware of under what situations they may be forced to break some of that privacy, since there was a recent case which they were forced to comply with Swiss law and hand over IP addresses (but all actual email contents remained encrypted and inaccessible). You'll find other privacy conscious email providers here:
https://www.privacytools.io/#email
https://prxbx.com/email/

ProtonMail Terms and Conditions limit you to a single free account, so if you want more than one account, you'll need to pay for it. I prefer to use different providers though - if I have an email for personal stuff, an email for banking, an email for social media, and an email for crypto, all with the same provider and I consistently access them all simultaneously or in succession from the same IP address, then it becomes fairly obvious to that provider that they are linked.

[crwth]

ProtonMail Terms and Conditions limit you to a single free account, so if you want more than one account, you'll need to pay for it. I prefer to use different providers though - if I have an email for personal stuff, an email for banking, an email for social media, and an email for crypto, all with the same provider and I consistently access them all simultaneously or in succession from the same IP address, then it becomes fairly obvious to that provider that they are linked.

I saw on their site that they have aliases, I think that's one way to have multiple accounts and use it for different services (social media, crypto stuff, banking) and prevent an actual compromise of what your email is but if they still send you a spam email, won't you still receive it right?

Do you think it's advisable to use aliasing? With iOS devices, if you have the iCloud+, you have the option to hide your email that forwards it to your main email. Is it safe with that as well?

[YOSHIE]

If you have account at Coinmarketcap (that is owned by Binance exchange btw) you should think about changing email address and use new unique password, because of the hack that happened on October 12 that leaked 3,117,548 email addresses!

Uh, damn, I just saw this thread, I have an account on Coinmarketcap, yes I understand now lately a lot of messages are not important aka spam, yesterday I deleted more 10 unsubstantiated incoming messages.

I was really busy without seeing this warning, now i changed everything gmail and password too, thanks again to: @dkbit98 for creating this thread.

it's a disaster for those who didn't see this thread.

[TopTort777]

I have a coinmarketcap account also. Email registered is completely different from those I use for exchanges and etc. I havent started receiving spam emails. But, this email has been used for several other services. Should I really be warned of something? What kind of harm can I get, despite receiving spam? We have lots of bounty spreadsheets with emails, telegram account names, forum names. With simple 2+2 logic lots of things can be linked due that. This is more dangerous than just an email data base leak. Isnt it ?

[kelonmusk]

My advice, anticipate now by moving all assets stored on the Binance exchange. email data leak CMC is warning 1 and warning 2 if you ignore it.

I have a coinmarketcap account also. Email registered is completely different from those I use for exchanges and etc. I havent started receiving spam emails. But, this email has been used for several other services. Should I really be warned of something? What kind of harm can I get, despite receiving spam? We have lots of bounty spreadsheets with emails, telegram account names, forum names. With simple 2+2 logic lots of things can be linked due that. This is more dangerous than just an email data base leak. Isnt it ?

as far as Im concerned they fetch the email data on the bounty spreadsheet for individual airdrop promotions only. what's more dangerous is the email you registered on the binance exchange.

[dkbit98]

In their Twitter account, there's no leak to their server as they said.

I don't really trust anything they say, now even CZ had to write something on twitter and we all remember how Binance customer data got leaked and they first denied it.

A little bit worried because I used my email here in Bitcointalk that linked to Coinmarketcap and I think it needs to change.

It's better to use separate temp and disposable email accounts when registering for Coinmarketcap and other similar websites.
You can also check if your email has been pwned and I would suggest using other email for Bitcointalk forum.

Maybe they sold their database to the highest bidders. It certainly wouldn't be the first time someone does this

It's enough to have one pissed ex employee to do that and it's true we had similar examples in past.
They don't even have to sell anything, it's enough that they don't care about security and safety of their data, so they indirectly allow leaks to happen.

[o_e_l_e_o]

I saw on their site that they have aliases

Correct, but those are only for paid accounts. A paid account only costs 0.00076 BTC for a year though, and that gives you 5 different addresses.

but if they still send you a spam email, won't you still receive it right?

Sure you will, but at least you can have one "disposable" email which you use to sign up for things like CoinMarketCap where you know just to ignore all the emails it receives, and have a separate "important" email which you use for sensitive financial accounts.

What kind of harm can I get, despite receiving spam?

You could receive phishing emails inviting you to enter your seed phrase to claim an airdrop or altcoin giveaway. You could receive fake emails from exchanges, services, and other platforms, containing links to fake websites which will prompt you for your username and password. You could receive emails with attached clipboard malware, keyloggers, or other malware which they will try to make you download. You could receive emails threatening you with release of some private information unless you pay a ransom. The possibilities are endless, but they all still require you to mess up to fall victim to them.

It's enough to have one pissed ex employee to do that and it's true we had similar examples in past.

Doesn't even need to be an employee of Binance or CMC. If you look at their Privacy Policy, they share your information with any number of third parties "to contact you about our programs, products, features or services" and "to tailor content, advertisements, and offers for you". When you make an account at CMC, this is what you sign up for - Binance to share you information with any third parties which will pay them.

[NotATether]

Just a crazy thought upon reading this thread. What if the haveibeenpwned database has been pwned as well? Subscriber-based type sites are always prone to hacking.

That db would not be useful because it's just a list of compromised email addresses, and a separate list of compromised passwords, without any links in between. The site names are not written into the database AFAIK.

[crwth]

Sure you will, but at least you can have one "disposable" email which you use to sign up for things like CoinMarketCap where you know just to ignore all the emails it receives, and have a separate "important" email which you use for sensitive financial accounts.

Oh yeah, I understand now. It's disposable since you could just get rid of it. I will try to take advantage of my subscription with iOS and try the "Hide My Email" feature thing that they are talking about. They automatically assign random numbers words with it, I guess it would be a great start.

That db would not be useful because it's just a list of compromised email addresses, and a separate list of compromised passwords, without any links in between. The site names are not written into the database AFAIK.

I think the only thing that they could do is just spam those email address that they are going to get, right? So if I got it correctly, there's nothing to "calculate" or engineer to crack passwords or stuff?

[BayAngelo]

OMG. spam and rubbish mails will be flying now. many accounts will be hacked but there is always a solution. anybody with an account on coinmarketcap should avoid opening emails with attachments. users should avoid opening or downloading emails with bitcoin attachments. they are likely virus and will attack your system and steal your details.

[CrashCoin_Dev]

This things happens all the time, I might be in there.

[pooya87]

Just a crazy thought upon reading this thread. What if the haveibeenpwned database has been pwned as well? Subscriber-based type sites are always prone to hacking.

That db would not be useful because it's just a list of compromised email addresses, and a separate list of compromised passwords, without any links in between. The site names are not written into the database AFAIK.

If they indeed store it like this, there is still a risk of compromise. Even leaking the email addresses alone is a risk since they will be spammed.

One easy way of mitigating that would be to store hashes of everything. For example the database wants to store foo@bar.com but instead of storing the plaintext it hashes it and stores "0c7e6a405862e402eb76a70f8a26fc732d07c32931e9fae9ab1582911d2e8a3b". When user searches that string, again they hash it in browser and send the hash to server which will be searched inside db. This way if the db is leaked all the hacker gets is useless hashes.

[Pmalek]

I have a way to create an email without my real name or phone number included, or to use proton mail which is not centralised like others.

Maybe I misunderstood your post, but ProtonMail requires a phone number or a secondary email account when you create a new email address. They will send you a one-time code that you need to copy and paste before the new account is set up. You will have to send this code to an alternative email or via SMS. They will also ask you to enter a second email or phone number in case you need to recover the password for your ProtonMail account. This step can be skipped though.

[Oshosondy]

Maybe I misunderstood your post, but ProtonMail requires a phone number or a secondary email account when you create a new email address. They will send you a one-time code that you need to copy and paste before the new account is set up.

I have setup hotmail account times without number without including my phone number, all I do is I used VPN, later after two weeks it will demand for phone number which will be mandatory after some time gone but anytime I want to login, but I think it usually take two weeks but I have forgotten. Proton mail will request for email, but it has been long I used proton mail, but it is still on of my favorite.

[Huppercase]

This is why I only browse through most of this web market platforms. I hardly make any registration despite the airdrops and giveaway used to entice new users to gain traffic.
Now that users information has been leaked, that's a breach of privacy but what can you do about it, just move on and don't make the same mistakes of using your main email for registration.

[Quickseller]

One easy way of mitigating that would be to store hashes of everything. For example the database wants to store foo@bar.com but instead of storing the plaintext it hashes it and stores "0c7e6a405862e402eb76a70f8a26fc732d07c32931e9fae9ab1582911d2e8a3b". When user searches that string, again they hash it in browser and send the hash to server which will be searched inside db. This way if the db is leaked all the hacker gets is useless hashes.

This is not a good solution that many companies will accept. Most websites want the ability to send marketing emails and hashing the email address in their database will prevent that. Websites may also want to track email domains to watch for spammy domains and blacklist them accordingly.

Further, it would be better to have the information hashed by the server rather than in the browser. This way the server can enforce any restrictions on email addresses. If the hashing is done in the browser, someone could calculate the hash of “foo@bar” (no dot com), and send this hash to the server. The website would have no way of knowing the user is using an invalid email. Similarly, if the password is sent via hashed format, the server would have no way of knowing if it meets complexity requirements. The server should receive the password in plaintext format, perform regex on it to confirm complexity requirements, then should be hashed prior to being sent to the database.

Most importantly, hashing information in the browser means an attacker can trivially login using the hashes of the email and password. If the hashed email addresses and passwords leak, a hacker could send the hashed email and password to the server and access the account. This would be the same as storing passwords in plain text.

If you read the blog post in the OP, you will see that CMC is saying they don’t believe the leaked information came from CMC. They are saying they believe that someone used a list of email/password combinations leaked from other sites, and used these combinations to try to login. When logins were successful, the hacker knew that the email was associated with an account at CMC.