2 - 3 minute read
Dozens of 3Commas users have stated that without their permission, their API credentials were used to make trades on exchanges. 3Commas reported that at least $6 million was stolen by customers beginning in October, although individuals who talked with CoinDesk indicate that the actual figure may be greater. The company initially blamed the losses to phishing assaults, but consumers who have organized themselves into Telegram group conversations allege that their credentials were compromised by 3Commas or a cryptocurrency exchange like Binance or Coinbase.
Leaked Database May Provide Clues Regarding Credential Leak
If the database is genuine, it could provide additional evidence that the credentials of 3Commas users were truly compromised. CoinDesk has reached out to 3Commas for comment regarding this issue. On Wednesday, Binance CEO Changpeng Zhao tweeted that he believed extensive API key leaks from 3Commas and encouraged users to disable any API keys they may have provided to the site.
3Commas permits users to configure trading bots that execute trades on their behalf on third-party cryptocurrency exchanges. These transactions create API keys that users can enter into 3Commas to enable the application access to their accounts. The API keys contained in this week’s hack purportedly originated from Binance and KuCoin.
CoinDesk has chosen not to connect to or identify the anonymous Twitter account responsible for the leak in order to safeguard the sensitive private information of 3Commas users. If the leak is legitimate, identifying the account would simply increase the exposure of the data.