Changpeng Zhao Warns of API-Key Leaks on 3Commas Platform

Binance chief Changpeng Zhao warned of API-key leaks affecting users of the 3Commas platform for algorithmic trading of digital assets.

I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.

Stay #SAFU.

— CZ 🔶 Binance (@cz_binance) December 28, 2022

\n\n

“I am reasonably sure that API key leaks from 3Commas are widespread. If you have ever provided an API key (from any exchange) to the platform, please disable it immediately,” he wrote.

\n\n

Zhao emphasised that Binance cannot disable keys on its own, because the team does not know which API keys users have shared with other platforms.

\n\n

According to reports circulating online, the hacker has published part of the 3Commas database dump containing confidential information of Binance and KuCoin customers.

\n\n

PSA

3Commas API leak has been published, if you haven’t already REMOVE YOUR API KEY pic.twitter.com/yEvrxyWBIq

— db (@tier10k) December 28, 2022

\n\n

According to CoinDesk, around 100,000 API keys fell into the hands of the attacker. He published 10,000 of them publicly and promised to publish the rest “in the coming days.”

\n\n

3Commas confirmed the compromise of keys. The company said that the data disclosed by the hacker was accurate.

\n\n

2) We did everything we could to investigate an inside job, as it was always a possible scenario and on our watch list, but no evidence of an inside job was found.

— 3Commas (@3commas_io) December 28, 2022

\n\n

“We saw the hacker’s message and can confirm that the data in the files are accurate. As immediate actions, we asked Binance, KuCoin and other supported exchanges to revoke the keys that were connected to 3Commas,” the statement says.

\n\n

The company noted that it conducted an investigation into potential insider activity, but found no evidence. According to the statement, access to the infrastructure was held by a “small number of employees.” Since November 19, 3Commas has been systematically revoking their permissions.

\n\n

The platform team clarified that the leak occurred before November 16. After that date, the API keys were not at risk. Law enforcement authorities are expected to be involved in the investigation.

\n\n

In October 2022, 3Commas and FTX jointly stated that a number of API keys had been compromised, which were subsequently used to execute unauthorized trades of the DMM Governance (DMG) token.

\n\n

In December, reports of user data leaks circulated online again. The company denied the information, calling it a targeted attack.

\n\n

Read ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analytics.