Crypto platform 3Commas confirms major API breach, FBI to investigate

How to prevent cyberattacks
(Image credit: Unsplash)

Cryptocurrency trading platform 3Commas has confirmed it suffered a data breach that saw API data stolen.

As per the announcement, an unknown threat actor posted 3Commas’ API database to Pastebin, on December 28. 

After analyzing the database, the company confirmed its authenticity, saying “at this point, 3Commas can unfortunately confirm that some of 3Commas’ users’ API data (API keys, secrets and passphrases) have been disclosed by a third party”. 

Stolen money

While the leaks revolve around API data at the moment, 3Commas’ does not exclude the possibility of other data being taken, as well: “Currently and to the best of our knowledge only API data have been disclosed as part of this incident. As a likely consequence the hacker(s) may use or may have used the API data to connect your exchange accounts to his/their account and/or initiate unauthorized trades,” it says.

In a notice sent to its users via email and a blog post, the company says it has made strides to protect its users and their funds, and reported the issue to relevant law enforcement agencies, including the FBI. 

As per a BleepingComputer report, a set of 10,000 API keys were leaked, which is just 10% of the 100,000-big database. These keys are usually used by 3Commas bots to automatically interact with crypto exchange platforms, make trades and generate profit, without user interaction.

Reacting to the news, 3Commas urged all supported exchanges (including some of the biggest ones - Binance, Coinbase, and Kucoin) to revoke all API keys connected to the platform. The company also urged all users to reissue their keys on all linked endpoints personally.

Investigating the leak further, the company eliminated the possibility of this being an inside job: “Only a small number of technical employees had access to the infrastructure, and we have taken steps since November 19 to remove their access,” the company said in a Twitter post. 

“Since then, we have implemented new security measures, and we will not stop there; we are launching a full investigation in which law enforcement will be involved,” the company added.

But the damage has already been done. Apparently, threat actors have been abusing leaked API keys since November, and have managed to steal some $6 million worth of cryptocurrencies so far. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.