Crypto bot trading service 3Commas has confirmed that its database of users’ API keys has been leaked.
In a statement posted to Twitter on Wednesday, 3Commas CEO Yuriy Sorokin said, “We saw the hacker’s message and can confirm that the data in the files is true.”
3Commas API leak has been published, if you haven't already REMOVE YOUR API KEY pic.twitter.com/yEvrxyWBIq
— db (@tier10k) December 28, 2022
API keys are a critical piece of infrastructure that ties the 3Commas bot service to a user’s crypto exchange account. In the wrong hands, malicious actors could gain unauthorized access to these users’ accounts and make trades on their behalf.
As an immediate course of action, 3Commas requested all its supported crypto exchanges, including Binance and KuCoin, to revoke all API keys connected to its service.
“We did everything that we could to investigate an inside job, as it was always a possible scenario and on our watch list, but proof of an inside job was not found,” claimed Sorokin in a tweet.
“Only a small number of technical employees had access to the infrastructure and we have taken action since November 19 to remove their access,” he added.
His statement comes after Binance CEO Changpeng Zhao issued a warning earlier in the day, telling users that he was “reasonably sure” there was a widespread API key leak from 3Commas.
Users were visibly displeased with the revelation, particularly given the fact that Sorokin and 3Commas repeatedly denied any kind of leak whatsoever over the last few weeks.
Also given security explanations that were mentioned in the blogposts, how is it possible all of this leaked? I thought these keys were not stored in the DB pic.twitter.com/9KqiPy0Smm
— Alice (@Alice_comfy) December 28, 2022
On Dec. 21, 3Commas said there was no evidence of a hacking event or API leak and claimed that affected users were likely the victim of an external phishing attack.
“You kept lying and saying this was our fault instead of taking responsibility and prevented further exploits. Are you going to refund the users now?” tweeted CoinMamba, a crypto trader who saw his Binance account exploited earlier this month.
A number of the platform’s users are now planning a class-action lawsuit against 3Commas, after claiming to have lost a collective total of $14 million as a result of the data leak.