CoinMarketCap, purchased recently by Binance, admits there’s a database of 3,117,548 million email addresses belonging to their users being sold online – but add that no other data was stolen beyond email addresses.
The website “HaveIBeenPwned” was first to reveal the leak, and say the hack happened 10 days before the knowledge became public.
“While the list of data we have reviewed comprises only email addresses (no passwords), we found a correlation with our subscriber database. We have not found any evidence of data breaches from our servers.” Coinmarketcap said in a statement.
Which Brings Up A Real Possibility – CoinMarketCap Was Never Hacked…
The other possibility is that hackers used other stolen databases that contain e-mail addresses and passwords, and software that allows them to load that database of emails/passwords into it, and instruct it to try to login to sites to see if people used the same e-mail/password combination elsewhere. Using proxy servers these programs can try thousands of accounts per hour.
So they could have had this software try all those e-mails/passwords on coinmarketcap, the software would then create a new list of everyone from the first hacked database, who also has a coinmarketcap account.
So Why Was Everyone Calling It A Hack?
The list of users e-mail addresses hit the underground marketplaces, being sold as a databases of CoinMarketCap user e-mails, it initially appeared as CoinMarketCap was the source of the data.
While freshly hacked databases are most valuable, people who buy those databases then create these sub-databases to resell.
For example, an online store with 50,000 users gets hacked, someone buys that database, then tries the e-mail addresses and passwords on Netflix. Out of those 50,000 users they could now create a list of “500 valid Netflix accounts” for sale.
This is Why ‘Never re-use your password on multiple sites’ Is Not Something to be Ignored…
If just 1 site you use gets hacked – you’re now hacked on every site you use – what information could someone with access to every site you’ve signed up for get?
So, if you do re-use passwords on multiple sites, the time to change that is RIGHT NOW.
If you’re thinking ‘but there’s no way I can remember 20 passwords!’ try this trick – put the first 1 or 2 letters of the website at the beginning or end of the password. So if your password was ‘CryptoK1NG’ and you made an account on CoinMarketCap it would be ‘CoCryptoK1NG’, on GlobalCryptoPress it would now be ‘GlCryptoK1NG’, etc.
Remember, they use software to see if you use the same password somewhere else – they don’t actually look at the list themselves. It only takes a tiny change to make you fully secure against this method of account cracking.
Warning To Anyone on This E-Mail List: Scams Are Coming…
If your e-mail address is part of this list – it’s time to get paranoid. People buying the e-mails are doing it for one purpose – to scam those on it.
So be on the lookout for suspicious emails, especially ones that would require you to give private keys to a wallet or login info to any crypto exchanges you may use.
The website mentioned earlier, HaveIBeenPwned allows you to put in your email address and see if you were included in the CMC email list.