A Password Reset Is Forced Upon Users of the Poloniex Cryptocurrency Exchange After a Credential Leak

Poloniex Password Reset

Yesterday, we wrote about a recent phishing campaign aimed at PayPal users in Latin America. We talked about how phishers often try to fool victims into thinking that someone is trying to hack their account. The idea is that the panic which ensues will decrease the chances of the user noticing that they're being scammed. Although it's quite effective, the practice is fairly common now, and plenty of people know about it. So much so, in fact, that when a few Poloniex users got emails related to their account security, they were rather skeptical.

An unexpected email alert raises some eyebrows

According to the message, the cryptocurrency exchange was contacting its customers because of a list of email addresses and passwords that was circling around on Twitter. The email said that the trading platform's security team took hold of the list, analyzed it, and determined that some of the addresses were associated with Poloniex accounts. The users who received the message were told that their address is on that list and that out of an abundance of caution, Poloniex has forced a password reset for their account. Although there wasn't a link that redirected them to a login page, some users immediately assumed that they were on the receiving end of a phishing attack.

They expressed their concerns on social media, and plenty of other people agreed that the message looks somewhat fishy. On December 30, however, Poloniex's support team confirmed that the email was genuine.

Poloniex tells us what happened

Despite Poloniex's tweet, some people remained confused, and yesterday, the cryptocurrency exchange finally decided to publish a Medium post and share more details on the matter. The post says that about 1% of the trading platform's customers received the email alert. As mentioned already, Poloniex contacted them because their email addresses were found on a list of leaked login credentials that was doing the rounds in late December.

Crucially, the data wasn't stolen from Poloniex. The cryptocurrency exchange's security experts checked their systems and found no evidence of a data breach. What's more, they mentioned both in the Medium post and in the email that they store passwords as salted bcrypt hashes. By contrast, all the login information in the leaked list was in plain text.

After getting in touch with Troy Hunt, Poloniex's security experts figured out that a whopping 90% of the passwords from the list were already present in the Have I Been Pwned database. Hunt already has the rest of the data and will load it into his data breach alert service soon.

In other words, Poloniex's security specialists tried to protect their customers from a credential stuffing attack.

Slightly better disclosure would have made all the difference

Getting your hands on a significant amount of stolen login data is easier than ever, which means that credential stuffing attacks are becoming more and more frequent. Poloniex deserves a pat on the back for helping its customers protect themselves against this particular threat. It must be said, however, that a more detailed account of what was going on and a slightly better timing would have saved users a lot of head-scratching.

The alert, for example, didn't address users by their name or username and instead started with "Dear Poloniex Customer," which is often considered a tell-tale sign of a phishing email. In addition to this, when the messages were sent out, there was no accompanying blog post that could shed more light on the matter. It didn't come out until three days later, and during that time, the only thing customers had to go by was a tweet from Poloniex's support account, which urged them to "reset your password for account security."

As you can see, even the smallest mistakes can cause a lot of confusion, especially when the security (and, in this case, crypto money) of many people is at stake. The whole story is yet another proof that the disclosure of a security-related event is sometimes just as important as the actions taken to ensure that people remain safe.

January 3, 2020

Leave a Reply