DdmrDdmr
Legendary
Offline
Activity: 2492
Merit: 11050
There are lies, damned lies and statistics. MTwain
|
<…> If you read the blog post in the OP, you will see that CMC is saying they don’t believe the leaked information came from CMC. They are saying they believe that someone used a list of email/password combinations leaked from other sites, and used these combinations to try to login. When logins were successful, the hacker knew that the email was associated with an account at CMC.
Nevertheless, 3.1M leaked records seems like a massive figure to be produced by using the hypothesis they provide, especially if passwords were involved to ensure valid logins (which they could validate probably through their logs and searching for patters within the login times and attempts). At some point, they did put special care in the wording to state that: You may have seen some information online about CoinMarketCap emails — we want to assure our users that there has been no leak from our own servers.
(see: https://twitter.com/CoinMarketCap/status/1451813671961833473) The " our own servers" seems like a deliberate careful choice of words, to cast a shadow on any third-party provider that has access to the information for, let’s say, marketing purposes (see https://coinmarketcap.com/privacy/). This would also play along with there being no passwords in the leak.
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2996
Merit: 2374
|
|
November 01, 2021, 01:58:07 PM |
|
<…> If you read the blog post in the OP, you will see that CMC is saying they don’t believe the leaked information came from CMC. They are saying they believe that someone used a list of email/password combinations leaked from other sites, and used these combinations to try to login. When logins were successful, the hacker knew that the email was associated with an account at CMC.
Nevertheless, 3.1M leaked records seems like a massive figure to be produced by using the hypothesis they provide, especially if passwords were involved to ensure valid logins (which they could validate probably through their logs and searching for patters within the login times and attempts). At some point, they did put special care in the wording to state that: You may have seen some information online about CoinMarketCap emails — we want to assure our users that there has been no leak from our own servers.
(see: https://twitter.com/CoinMarketCap/status/1451813671961833473) The " our own servers" seems like a deliberate careful choice of words, to cast a shadow on any third-party provider that has access to the information for, let’s say, marketing purposes (see https://coinmarketcap.com/privacy/). This would also play along with there being no passwords in the leak. Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors. I would presume they would keep track of information shared with their various vendors, and if the list of leaked email addresses matched what was shared with that vendor, they would be able to blame that vendor. If the list of emails exceeds what they shared with any one vendor, it should be reasonable to say the leak did not come from any of their vendors. Given that CMC accounts really don't contain much valuable information, it might not be unreasonable to think they are not employing sophisticated detection systems to try to detect unauthorized logins. I would presume that someone logging into 3.1 million accounts would not do so from a single IP address, and a project of this scale would likely have been done over time, and using many IP addresses. CMC claims to "reach" hundreds of millions of users every year, so 3.1 million email addresses would likely be a small subset of all the email addresses in their database. They also probably want to be careful to not acknowledge the email list is valid. Doing so would implicitly acknowledge that any email address on the list is an email address associated with a CMC account.
|
|
|
|
BitcoinGirl.Club
Legendary
Offline
Activity: 2954
Merit: 2785
Bitcoingirl 2 joined us 💓
|
|
November 01, 2021, 02:09:50 PM |
|
Consider that email address you used for CMC account is now compromised, don't be surprised if you start to receive some spam and scam emails, so you should not use it anymore.
This gives me the answer of an old email I used, I received an email from a startup to look into their project and become first-hand investor LOL PS: I did not know CMC is owned by Binance. CZ is doing everything to monopoly the crypto niche. Not good. Another day, another centralized service leaking user information across the internet. Owned by Binance, have no idea how their database was accessed, and unable to confirm or deny if other information was also accessed. Really fills you with confidence! What else is owned by CZ? Get ready to get that hacked too 😉 Fun aside, it's the risk we always take when we deal with a centralized database.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18746
|
|
November 01, 2021, 04:08:46 PM |
|
Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors. That doesn't make them any less responsible. It is their responsibility to vet the parties they deal with and to ensure their security is up to scratch, and it is their responsibility to investigate if one of them has leaked data. If you give me $1000 to keep safe for you, and I give it to a drug addict who then blows it all on drugs, I can't shrug my shoulders and say "Well, I didn't lose it." It is too much of a coincidence that a database of 3.1 million emails matches exactly with 3.1 million CMC accounts. If they didn't leak it, then someone they gave it to did. What else is owned by CZ? Trust wallet. Also they have so much influence over it and have embedded so many things in to it, that Brave Browser is essentially owned by them too.
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2996
Merit: 2374
|
|
November 01, 2021, 04:56:15 PM |
|
Well they can only investigate what they have access to. They have stated they completed a security audit and found no leaks from their own servers. They can't do the same for any of their vendors. That doesn't make them any less responsible. It is their responsibility to vet the parties they deal with and to ensure their security is up to scratch, and it is their responsibility to investigate if one of them has leaked data. If you give me $1000 to keep safe for you, and I give it to a drug addict who then blows it all on drugs, I can't shrug my shoulders and say "Well, I didn't lose it." It is too much of a coincidence that a database of 3.1 million emails matches exactly with 3.1 million CMC accounts. If they didn't leak it, then someone they gave it to did. See the blog post that is linked in the OP, and my first post in this thread. I was not defending CMC for leaking the emails via their vendor. I was responding to DdmrDdmr that he was suggesting that CMC's statement implies the leak could have come from one of their vendors. I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors. CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account. When bitcointalk was hacked, usernames, email addresses and password hashes were leaked. If someone were to use the leaked information to try to login to coinbase accounts that use the same email address and password combination, and subsequently publish a list of email addresses associated with coinbase accounts, it would not mean that coinbase was hacked. Someone could have used the leaked information from the forum, and leaked information from other bitcoin-related websites.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18746
|
|
November 01, 2021, 08:36:07 PM |
|
I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors. Sure they do. Just hire an independent third party to go and audit everyone that they share your data with. I'm sure it would be expensive since they probably share your data with dozens of third parties, but it's not impossible by any means. CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account. And I don't buy that for a second. If you are to believe that story, then you believe some tried millions of username/password combinations (many more than the 3.1 million which were found to be valid) to break in to CMC accounts... for what? To see what coins everyone was watching? But they didn't break in to any exchange accounts, or web wallets, or casinos, or anything with value? Or even the email addresses themselves?
|
|
|
|
DdmrDdmr
Legendary
Offline
Activity: 2492
Merit: 11050
There are lies, damned lies and statistics. MTwain
|
|
November 01, 2021, 09:01:55 PM |
|
I’ve been searching around, and found the alleged 3,1 M Database on a given place where it was loaded as a freebie on the 13/10/2021. It includes just emails as we knew. Now the weird thing is that someone also uploaded a file on the 24/10/2021 with 2,3 M pairs of alleged login/passords from CMC, also for free. Not much explanation is provided alongside.
I took a brief ethical look, and found that this latter file with 2,3 M records really has only 745 K different emails. The files has many entries with multiples passwords per email, thus only rendering 745 K distinct emails. I crossed it with the 3,1 M record database, and 740 K emails coincided. I tried a couple of dozen random email/pwd (of those with unique entries in the pwd file), and only one logged in. The others were either not CMC emails, or had already changed their email.
Now this leave me a bit more puzzled. There is no explanation on how and when this login/pwd file was compiled. It could be a prior breach, or a compilation of crypto related credentials, branded as CMC related by someone at some point for some reason.
The fact that many emails have multiple passwords can only be justified by it being a compilation, or derived from some log or historical archieve of password changes. Nevertheless, the low successful login ratio from my test, seems to point to it been non-current or non-specific to CMC. I cannot really tell, and Tor login attempts are painstaking long to try out.
The fact that the emails largely do coincide with the CMC 3.1 M file, albeit only for 740K of the records, points to a relation between the two files, buy I still cannot attest to whether they are legit CMC in origin, or a compilation.
Having said that, CMC can easily know what’s what, and they can and should be more transparent about the nature of the 3,1M file, and more specifically at this stage, the degree of coincidence with the CMC database. Not undisclosing this seems of no real benefit rather than to speculation itself.
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2996
Merit: 2374
|
|
November 01, 2021, 11:22:52 PM |
|
I was noting that CMC has no way to do a security audit to confirm the list did not come from one of their vendors. Sure they do. Just hire an independent third party to go and audit everyone that they share your data with. I'm sure it would be expensive since they probably share your data with dozens of third parties, but it's not impossible by any means. If they have not shared the entire list of emails with any one third party vendor, they can reasonably rule out the data coming from any vendor. I also don’t know that CMC would have the ability to force their vendors to be subject to intrusive audits by another third party, when they never even had access to the data that was leaked. CMC is saying that someone found a list (or lists) of email addresses and passwords, and attempted to use those email/password combinations (from other website(s)) to login to CMC, and if they were able to login, they knew the email address was one associated with a CMC account. And I don't buy that for a second. If you are to believe that story, then you believe some tried millions of username/password combinations (many more than the 3.1 million which were found to be valid) to break in to CMC accounts... for what? To see what coins everyone was watching? But they didn't break in to any exchange accounts, or web wallets, or casinos, or anything with value? Or even the email addresses themselves? I presume the list was either sold by someone who did this, or that person(s) tried to sell it. Or they could have been trying to get credibility/reputation of some sort. They would have obviously automated the testing, so it’s not like there was one person trying millions of email/PW combinations. I noted elsewhere that it is unusual for only emails to leak in a data breach.
I don’t think anyone has alleged that passwords were leaked from CMC. I think it would be very strange for someone to steal passwords, publish that email addresses were leaked then publish both emails and passwords without any explanation. It is a best practice to not disclose specific security measures you are taking so adversaries can’t easily see holes in your security. But I would not be surprised if CMC at the very least forced users who were affected to reset their password via email the next time they logged in to CMC, if they didn’t proactively email those affected suggesting them to change their passwords. I would also assume that many of the emails in question are receiving a decent amount of malicious emails from people trying to take advantage of the fact the emails in question are associated with someone involved in crypto. The uptick in these types of emails might get people to change their passwords.
|
|
|
|
libert19
|
|
November 02, 2021, 05:06:39 AM |
|
May be its only me, but I wouldn't stop using my email and move all that stuff to another just because it's prone to spam/phishing now.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18746
|
|
November 02, 2021, 09:01:21 AM |
|
If they have not shared the entire list of emails with any one third party vendor, they can reasonably rule out the data coming from any vendor. So come out and say that, instead of this deliberately vague "no leak from our own servers" nonsense. This is the same kind of nonsense they pulled during the KYC leak Binance experienced back in 2019. They called it a "false leak", and their statement said "At the present time, no evidence has been supplied that indicates any KYC images have been obtained from Binance". (Emphasis mine). Just as with this hack, that statement is true but deliberately worded to obfuscate things - data was not obtained from Binance, just has it has not been obtained from CMC. And as we all know with the Binance leak, it was some sketchy third party that they sent the data to who ended up being the culprit. And just as they were responsible for that KYC leak from a third party, they are responsible for this email leak from a third party. I also don’t know that CMC would have the ability to force their vendors to be subject to intrusive audits by another third party, when they never even had access to the data that was leaked. Binance have a responsibility to protect your data, and that includes checking the security practices of the third parties they share your data with. If a third party is unwilling to demonstrate their security is up to scratch, then why the hell are Binance sending your data to them? This is just negligent.
|
|
|
|
pakhitheboss
|
|
November 02, 2021, 10:19:06 AM |
|
Majority email addresses will of airdrop participants. They are smart people, most of them would have created an email address just for airdrops. They already are getting tons of spam emails so they will be least bothered. Furthermore it is better to check coingecko than CMC.
|
|
|
|
BitcoinGirl.Club
Legendary
Offline
Activity: 2954
Merit: 2785
Bitcoingirl 2 joined us 💓
|
|
November 02, 2021, 01:44:56 PM |
|
What else is owned by CZ? Trust wallet. Also they have so much influence over it and have embedded so many things in to it, that Brave Browser is essentially owned by them too. So big names in the crypto eventually are selling their business to CZ and eventually some day we will see CZ is controlling the industry. CZ will be no difference than Google and Facebook owners. I recommend that you familiarize yourself with services similar in functionality: - CoinGecko- CryptorankThis is a good idea. Diversification is very important. If you let one person to own everything in the market then eventually you are allowing monopoly business model. And monopoly does not bring good things in the industry.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18746
|
|
November 02, 2021, 01:51:15 PM |
|
CZ will be no difference than Google and Facebook owners. Pretty much. Centralized exchanges have been rapidly discovering that while they can obviously make some nice profits from charging ridiculous trading and withdrawal fees (which I still can't understand why people seem happy to put up with), the real money is to be made with information and data. It's the same reason as why Facebook sell things like the Oculus at a loss and Google practically give away Google Home devices. They don't care about making profit with these things; they care about having them in your home, care about you using them and linking up all your accounts, and care about collecting your data. Coinbase went as far as to create their own blockchain analysis department, which they contract out to anyone who will pay, including multi-million dollar contracts to various governments and their agencies, including the CIA, FBI, DEA, and IRS. Binance bought out CMC to gather data on all its users, and have inserted their code and software all over Brave Browser to track its users too. Your data is far more valuable to these companies than the fees you are paying them.
|
|
|
|
JustinSun11
Jr. Member
Offline
Activity: 31
Merit: 1
|
|
November 02, 2021, 02:02:49 PM |
|
There are many exchanges that share your data with many other exchanges and networks. This is not a new thing, it has been happening, of course, in front of your eyes or behind the eyes. The emails that come from many other companies come because you must have registered somewhere, they have sold your data to some other project. So that they can promote their project. In today's time there is no such thing as privacy. Facebook has so much of your data that it can force you to think whatever they want. In the long run, big companies think that they will rule the world. Front will be the government and behind the decision makers will be the people of these companies. Everywhere they will make laws that suit them so that no one could challenge them even legally.
|
|
|
|
dimonstration
|
|
November 02, 2021, 02:08:52 PM |
|
Majority email addresses will of airdrop participants. They are smart people, most of them would have created an email address just for airdrops. They already are getting tons of spam emails so they will be least bothered. Furthermore it is better to check coingecko than CMC.
Yeah majority but there's a 100k maybe more that's a crypto newbie that using there own email to get an official update on coinmarketcap. I have a friend that using personal email on coinmarketcap because he is wants to received on news from it as soon as possible so if he preferred his personal email that he always check. Good thing is I already brief him about all the dangers on using personal and what he will expect.
|
|
|
|
BitcoinGirl.Club
Legendary
Offline
Activity: 2954
Merit: 2785
Bitcoingirl 2 joined us 💓
|
|
November 02, 2021, 05:03:14 PM |
|
Agree with every o_e_l_e_o said. our data is far more valuable to these companies than the fees you are paying them.
This is the era of information. Random information will not make any sense but the agency and company knows how to analyse the same information and monetize it, they are .dominating the industry. Facebook understood it, Google realized it even before creation of Facebook. I think google started knowing that they need to collect the data to build their project where Facebook started just to have fun but once they became big and needed funding then they realized the data they had were their assets. Anyway, I think we are moving to off-topic. Let's see how it effects to CMC users and the community. I already received two emails from random source. Usually I just delete them.
|
|
|
|
ShowOff
Legendary
Offline
Activity: 2786
Merit: 1197
|
|
November 02, 2021, 08:07:51 PM |
|
There's no really safe on the internet and everything is vulnerable to hacking, it's a good thing they announced that they didn't have been hacked. A little bit worried because I used my email here in Bitcointalk that linked to Coinmarketcap and I think it needs to change. If you really care about security while on the internet then make sure you sign up with a different email on each platform you want to visit. I use different emails for forum account, trading account and other platform account. This is just a suggestion, but it might be useful. The failure of a platform in terms of securing the database is actually not our fault, they actually have to be responsible for their customer data but users are advised to consider all the risks that arise on the internet and one of them is hacking. So self-safe, account-safe, asset-safe because of that is very important.
|
|
|
|
Myleschetty
Member
Offline
Activity: 1191
Merit: 78
|
|
November 03, 2021, 12:00:26 AM |
|
The issue of the coinmarketcap leaked email explain the reason why I am getting some weird mail lately below is the screenshot but I don't know if you guys notice that almost every platform owned by Cz is having a problem these days one way or the other cause binance.com was said to have large backlog issue today.
|
|
|
|
pooya87
Legendary
Offline
Activity: 3626
Merit: 11029
Crypto Swap Exchange
|
|
November 03, 2021, 05:58:07 AM |
|
~
If you read the comment chain you can see I was talking about "haveibeenpwned" website and their database. Users don't log into that site, they just search their email to see if it were leaked (pawned). And the discussion was about haveibeenpwned database being "pawned" itself which I said it could be prevented by only storing and requiring hashes to search.
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2996
Merit: 2374
|
|
November 03, 2021, 11:22:12 AM |
|
~
If you read the comment chain you can see I was talking about "haveibeenpwned" website and their database. Users don't log into that site, they just search their email to see if it were leaked (pawned). And the discussion was about haveibeenpwned database being "pawned" itself which I said it could be prevented by only storing and requiring hashes to search. haveibeenpwned gets their information from various leaks of data. When haveibeenpwned says that a password was leaked, it means they were able to find a leak that contains a password. If haveibeenpwned is able to locate a list of stolen information, it means that someone else can also locate the same information if they know where to look. Someone hacking the haveibeenpwned database would largely be pointless because the information is already public.
CMC's obligations regarding their customers' data can be found in their privacy policy. If someone does not like the terms of their privacy policy, they can ask CMC to change the term they do not like, however until and unless CMC changes the policy, the policy as currently as written lays out their obligations. I am also not sure there is sufficient evidence to suggest that the leaked images came from Binance or any of their vendors. Binance says that it adds a digital watermark to images it receives for KYC purposes, and the leaked images do not contain that watermark. Binance also said at the time that many of the images in question do not match the images they received from any customer. I would also note that the alleged hacker was asking for over a million dollars from binance before releasing the images, and would not tell binance how they were able to allegedly steal the images from their systems. The above fact pattern does not say with certainty that the images came from binance/one of their vendors. It also opens the possibility the "hacker" obtained the images via means unrelated to binance.
|
|
|
|
|