In brief

  • Over 3 million email addresses of CoinMarketCap users have reportedly been collated and sold on hacker forums.
  • CoinMarketCap says that no signs point to a breach.

Yesterday, a site that scans the internet for data breaches reported that 3.1 million email addresses had been stolen from CoinMarketCap’s database.

Have I Been Pwned discovered on October 12 that emails used on the crypto price aggregator site were being traded on a hacking forum. The suspected leak does not contain passwords. 

But CoinMarketCap said today in a blog post that the leak “did not come from CoinMarketCap servers.” The company, which is a subsidiary of Binance, said it found “no trace of any security breach.”

CoinMarketCap reportedly told Have I Been Pwned there is “a correlation with our subscriber base,” but that 99% of the emails were already listed in the data breach site, meaning that they had already been exposed by earlier breaches on other sites. 

“As no passwords are included in the data we have seen, we believe that it is most likely sourced from another platform where users may have reused passwords across multiple sites,” said CoinMarketCap.

CoinMarketCap believes that the attacker sold a list of leaked emails and compared it with other collections of leaked information to verify the emails. 

“This is how the list of emails that claims to be from CoinMarketCap looks real — it’s because it’s a ‘cleaned’ email dataset from the Dark Web that has occurred in previous leaked email sets totally unrelated to CoinMarketCap,” said CoinMarketCap. 

CoinMarketCap’s parent company, Binance, was hacked in 2019. Hackers accessed important information, such as two-step authentication data and API keys, and stole 7,000 Bitcoin. Hacks are rife on Binance’s blockchain, the Binance Smart Chain.

On Wednesday, decentralized finance (DeFi) protocol PancakeHunny was exploited for about $1.9 million after attackers used flash loans to manipulate the price of a liquidity pool.