Users of the trading platform 3Commas got the biggest fright of their lives when an anonymous Twitter user illegally gained access to roughly 100,000 API keys and published them online.
3Commas at the beginning pin the blame on a phishing attack that triggered the user’s data leak but recently confessed that the source was an API leak.
The revelation was brought by a cohort of traders who disclosed over $20 million worth of crypto had been pilfered through compromised API keys.
These keys were then exploited to execute trades on exchanges such as Binance, KuCoin, and Coinbase without their consent.
From maintaining that it had no security issues, co-founder Yuriy Sorokin ultimately acknowledged them when he tweeted,
“We saw the hacker’s message and can confirm that the data in the files is true… We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation.”
For the uninitiated, users can connect their various cryptocurrency exchange accounts, including those held on Binance, to automated trading tools using the 3Commas platform.
Application programming interfaces [APIs] are standardized procedures that let various software components connect with one another and carry out activities.
The idea is that people don’t have to put in the effort to think about their professions. Instead, everything is instantaneous and automatic thanks to programming.
In his tweet, 3Commas’ Sorokin noted that he and his firm “did everything that we could to investigate an inside job, as it was always a possible scenario and on our watch list, but proof of an inside job was not found.”
Before 3Commas published its announcement, Binance CEO Changpeng Zhao warned customers on Wednesday afternoon that they should “immediately disable any API keys you may have previously entered into 3Commas [from any exchange].”
3Commas’s Admission After Binance’s CZ Warning
Following an incident on December 9 in which Binance terminated the account of a user who had complained about losing money the day before, CZ made the admission.
A leaked API key associated with 3Commas, according to that user, was used “to make trades on low cap coins to push up the price to make a profit.” Binance declined to pay the user back.
According to a tweet from CZ, the loss cannot be verified, and if the business compensated for it, “we will just be paying for users to lose their API credentials.”