CoinMarketCap has reportedly fallen victim to a hack that leaked 3.1 million (3,117,548) user email addresses.
It has been reported that the information came into light after the hacked email addresses were found to be traded and sold online on various hacking forums, and revealed by Have I Been Pwned, a website dedicated to tracking hacks and compromised online accounts.
However, CoinMarketCap, a subsidiary of Binance cryptocurrency exchange, confirmed that the list of leaked user accounts matched its userbase.
CoinMarketCap stated:
"CoinMarketCap has become aware that batches of data have shown up online purporting to be a list of user accounts. While the data lists we have seen are only email addresses, we have found a correlation with our subscriber base."
The report said that while confirming the correlation of the 3.1 million (3,117,548) user email addresses with its userbase on October 12, the company has assured that the hackers did not gain access to any of the account passwords.
CoinMarketCap spokesperson said:
"We have not found any evidence of a data leak from our own servers — we are actively investigating this issue and will update our subscribers as soon as we have any new information."
CoinMarketCap said:
"As no passwords are included in the data we have seen, we believe that it is most likely sourced from another platform where users may have reused passwords across multiple sites."
Thus, according to Coinbase, the attackers identified a vulnerability in the account recovery process:
"In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account."
Source: Cointelegraph