The Estonia-based company today asks its users to reissue their keys on crypto exchanges.
After 2 months of denying a possible data leak from his platform, Yuriy Sorokin, the CEO of 3Commas, had to admit that his clients’ API keys are indeed compromised. However, the origin of the breach remains unclear.
The CEO tweeted that “We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.”
In said tweet, Yuriy Sorokin refers to a Twitter user who shared part of the 3Commasque database, in particular, it contained user API keys for the platform.
Chronicle of an Announced Breach
Unsurprisingly, the responses to the 3Commas CEO’s statement were particularly vindictive. In fact, it’s been around 2 months since an increasing number of platform users have complained about unexplained actions on their accounts, to which 3Commas continues to deny any liability.
The head of cryptocurrency exchange Binance, Changpeng Zhao, had warned about the leak of API keys for users of the 3Commas algorithmic trading platform for digital assets. He tweeted that “I am reasonably sure there are widespread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.”
3Commas noted that it had conducted an investigation into possible insider activity, but found no evidence of this. According to the statement, “a limited number of employees” had access to the infrastructure. Since November 19, 3Commas has been systematically revoking its permits. The platform team clarified that the leak occurred before November 16. After this date, API keys were “not at risk”.
Losses That Could Have Been Limited
Several users have started complaining about outside actions on their cryptocurrency trading accounts. However, on many occasions 3Commas denied the facts in lengthy blog posts, explaining that the evidence and other screenshots of possible vulnerabilities in its database were fabricated or falsified. 3Commas has also placed the blame on its users, accusing them of being duped by phishing attempts.
Additionally, a survey conducted by @ZachXBT, revealed on December 20, reported $14.8 million stolen from 44 victims. It should be noted that these are only those who have reported the event and that the total number of victims is undoubtedly much higher. @ZachXBT tweeted the following:
“Users have made complaints across different exchanges. It’s clear this is not phishing and api keys were stolen. 3Commas and their founder have chosen to blame its users. Delete the api keys if you haven’t already and stop using 3commas.”
However, now that the data leak has finally been admitted, it remains to be seen what will happen to the affected users. For now, it appears that some of them have come together to take class action in court.
By Audy Castaneda
