Cryptocurrency Fraud , Digital Identity , Email Security & Protection

CoinMarketCap: No Breach Despite 3.1M Email Address Leak

Email Addresses Correlate With Accounts on Crypto Price-Tracking Service
CoinMarketCap: No Breach Despite 3.1M Email Address Leak

CoinMarketCap says it has found no evidence of a data beach despite the circulation of a list of 3.1 million email addresses that correlates with accounts on its service.

See Also: OnDemand | The Ransomware Hostage Rescue Checklist: Your Step-by-Step Guide to Preventing and Surviving a Ransomware Attack

CoinMarketCap is a website that tracks the price movement of cryptocurrency. Binance Capital Management, which runs cryptocurrency exchanges, acquired CoinMarketCap in April 2020.

The data is only email addresses and does not contain password hashes or other information. The data had been posted as far back as August on a well-known data breach forum. It surfaced again on that same forum earlier this month.

This post on a data breach forum on Aug. 12 mentions 3.1 million CoinMarketCap email addresses.

On Saturday, CoinMarketCap wrote in a short blog post that it "ran a comprehensive security check, and there is no trace of any security breach of our servers."

CoinMarketCap thinks the list was compiled from other data breaches.

"We believe that a bad actor (or actors) took a list of leaked emails (this list that claims to be from CoinMarketCap) and compared it with other batches of leaked data," the company says. "This is how the list of emails that claims to be from CoinMarketCap looks real -- it’s because it’s a 'cleaned' email dataset from the Dark Web that has occurred in previous leaked email sets totally unrelated to CoinMarketCap."

Regardless of where the list originates, having an accurate, long list of people who are interested in cryptocurrency is very useful for attackers for phishing attempts. Given that this data appears to have been circulating for at least two months, that's likely already been occurring.

Accurate Addresses

CoinMarketCap, however, did not say if the email list correlates 100% with accounts on its platform. But it did say in a previous statement that it has "found a correlation with our subscriber base."

The email addresses have been entered into Have I Been Pwned, the data breach notification service created by Troy Hunt. Notifications have been sent out to 50,000 people who are in the CoinMarketCap data and are subscribers of Have I Been Pwned.

Hunt says he contacted some of the people in the data, and all confirmed they had CoinMarketCap accounts. Also, after the 50,000 notifications were sent, no one responded by saying they did not have a CoinMarketCap account, which sometimes occurs if there is misattribution, Hunt says.

"I’d be really interested to know what percentage of those 3.1M addresses actually exist on @CoinMarketCap and of course that’s something they could easily establish (which I suspect they have) and then communicate in their disclosure notice (which they obviously haven’t)," Hunt tweeted.

Although CoinMarketCap maintains the list didn't come from its systems, attackers often look for enumeration vectors, or weaknesses in systems that give away information, such as if an account exists. Sometimes those enumeration weaknesses are in password reset functionality or in registration procedures, which may signal if an email address that's used as a username exists.

Hunt tweeted on Sunday that CoinMarketCap presents aggressive CAPTCHAs when trying to reset a password, a sign that "they’ve really ramped up the anti-enumeration defences."


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.