Cryptocurrency trading platform 3Commas has confirmed that it suffered a data breach in which API data was stolen.
According to the announcement, an unknown threat actor posted 3Commas API database in Pastebin on December 28th.
After analyzing the database, the company confirmed its authenticity, saying, “At this time, 3Commas is unfortunately able to confirm that some of 3Commas users’ API data (API keys, secrets, and passphrases) has been disclosed by a third party.”
stolen money
While the leaks currently revolve around API data, 3Commas’ does not rule out the possibility of extraction of other data: “Currently, and to the best of our knowledge, only API data has been disclosed as part of this incident. As a likely consequence, the hackers could use or have used the API data to connect your exchange accounts to his/her account and/or initiate unauthorized trades,” it reads.
In a notice sent to its users via email and a blog post, the company says it has made strides to protect its users and their funds and has reported the issue to relevant law enforcement agencies, including the FBI .
According to a Beeping computer A number of 10,000 API keys were reportedly leaked, accounting for only 10% of the 100,000 large database. These keys are typically used by 3Commas bots to automatically interact with crypto exchange platforms, transact trades, and generate profits without user interaction.
In response to the news, 3Commas requested all supported exchanges (including some of the largest – Binance, Coinbase, and Kucoin) to revoke all API keys associated with the platform. The company also asked all users to reissue their keys on all linked devices endpoints (opens in new tab) personal.
The company continued to investigate the leak and ruled out the possibility that it was an inside job: “Only a small number of technical staff had access to the infrastructure and we have taken steps since November 19 to remove their access.” ‘ the company said in a Twitter post.
“Since then we have introduced new security measures and we will not stop there; We are launching a full investigation that will involve law enforcement,” the company added.
But the damage is already done. Apparently, threat actors have been abusing leaked API keys since November and have so far managed to steal around $6 million worth of cryptocurrencies.
Above: Beeping computer (opens in new tab)
