A Twitter user posted a dump of 10,000 API keys belonging to cryptocurrency company 3Commas. The user claimed to have 100,000 API keys and threatened to release the rest in the coming days.
3Commas has confirmed the leak’s authenticity and called on exchanges, including Kucoin, Coinbase, and Binance, to revoke any 3Commas-associated keys. The corporation has also indicated that no evidence has been uncovered to show that the leak was the work of an insider.
This is not the first time 3Commas has received criticism over the security of its API keys. In October 2022, users began reporting unauthorized transactions involving 3Commas, and in November, users claimed to have lost approximately $6,000,000 worth of cryptocurrency due to leaked credentials. Since then, this amount is believed to have doubled. At the time, 3Commas denied any possibility of hacking and suggested that affected users had fallen victim to phishing attacks or were using unauthorized third-party applications.
On December 10, 2022, after numerous reports of unauthorized transactions using API keys, 3Commas released an investigation report stating that experts could not find any evidence of a compromise of the company’s systems. The company also denied reports that its employees were stealing user API keys and assets.
Now, users whose complaints about unauthorized transactions were previously dismissed are demanding a full refund of their lost funds from 3Commas. It remains to be seen how the company will respond to these demands and whether it can restore user confidence in the security of its systems.
