CoinMarketCap: No Breach Despite 3.1M Email Address LeakEmail Addresses Correlate With Accounts on Crypto Price-Tracking Service
CoinMarketCap says it has found no evidence of a data beach despite the circulation of a list of 3.1 million email addresses that correlates with accounts on its service.
CoinMarketCap is a website that tracks the price movement of cryptocurrency. Binance Capital Management, which runs cryptocurrency exchanges, acquired CoinMarketCap in April 2020.
The data is only email addresses and does not contain password hashes or other information. The data had been posted as far back as August on a well-known data breach forum. It surfaced again on that same forum earlier this month.
On Saturday, CoinMarketCap wrote in a short blog post that it "ran a comprehensive security check, and there is no trace of any security breach of our servers."
CoinMarketCap thinks the list was compiled from other data breaches.
"We believe that a bad actor (or actors) took a list of leaked emails (this list that claims to be from CoinMarketCap) and compared it with other batches of leaked data," the company says. "This is how the list of emails that claims to be from CoinMarketCap looks real -- it’s because it’s a 'cleaned' email dataset from the Dark Web that has occurred in previous leaked email sets totally unrelated to CoinMarketCap."
Regardless of where the list originates, having an accurate, long list of people who are interested in cryptocurrency is very useful for attackers for phishing attempts. Given that this data appears to have been circulating for at least two months, that's likely already been occurring.
CoinMarketCap, however, did not say if the email list correlates 100% with accounts on its platform. But it did say in a previous statement that it has "found a correlation with our subscriber base."
The email addresses have been entered into Have I Been Pwned, the data breach notification service created by Troy Hunt. Notifications have been sent out to 50,000 people who are in the CoinMarketCap data and are subscribers of Have I Been Pwned.
Hunt says he contacted some of the people in the data, and all confirmed they had CoinMarketCap accounts. Also, after the 50,000 notifications were sent, no one responded by saying they did not have a CoinMarketCap account, which sometimes occurs if there is misattribution, Hunt says.
"I’d be really interested to know what percentage of those 3.1M addresses actually exist on @CoinMarketCap and of course that’s something they could easily establish (which I suspect they have) and then communicate in their disclosure notice (which they obviously haven’t)," Hunt tweeted.
Although CoinMarketCap maintains the list didn't come from its systems, attackers often look for enumeration vectors, or weaknesses in systems that give away information, such as if an account exists. Sometimes those enumeration weaknesses are in password reset functionality or in registration procedures, which may signal if an email address that's used as a username exists.
Hunt tweeted on Sunday that CoinMarketCap presents aggressive CAPTCHAs when trying to reset a password, a sign that "they’ve really ramped up the anti-enumeration defences."
So we’re all a bit in the dark. I notice there’s a *really* aggressive capture on password reset (seriously - try it - multiple prompts each reset) so I suspect they’ve really ramped up the anti-enumeration defences. Who knows, in a vacuum of information we can only speculate. pic.twitter.com/bTDUqsgLpz— Troy Hunt (@troyhunt) October 23, 2021