An unknown posted a set of 10,000 API keys on Twitter.
3Commas bots use these API keys to interact with crypto exchanges without requiring credentials to automatically invest and trade on behalf of users. According to the hacker behind the leak, 10,000 keys is only 10% of what he got his hands on. The attacker plans to post the rest of the keys in the coming days.
3Commas has reviewed the leaked data and confirmed that it contains real API keys. The company is calling on all exchanges, including Kucoin, Coinbase, and Binance, to revoke all keys associated with 3Commas. Users are advised to re-issue their keys for all related exchanges themselves and contact 3Commas Support for guidance on how to proceed.
The company has already conducted an internal investigation to find out if the incident is related to the work of an insider, but did not find any evidence of this.
"Only a small number of technical staff had access to the infrastructure, and since November 19, we have taken measures to limit their access. Since then, we have implemented new security measures, and we do not plan to stop there; we are launching a full-fledged investigation, which will involve law enforcement authorities," the company said in a statement.
It is worth noting that the first reports of unauthorized transactions carried out through 3Commas have been coming since October of this year, and have reached their peak in recent weeks. According to platform users, in November they lost about $6,000,000 worth of cryptocurrencies after their credentials were leaked from 3Commas systems.
All this time, company representatives denied the possibility of hacking and assumed that users were victims of phishing attacks or trojanized applications. However, after a steady stream of reports of unauthorized transactions using API keys, the company ran out of patience and rolled out an investigation report stating that experts could not find any evidence of a compromise of 3Commas systems. In a separate publication, the company called false reports that employees steal users' API keys and transfer their crypto assets to themselves.