Cryptocurrency exchange Poloniex is forcing its users to reset their passwords after a list of email addresses and passwords was allegedly leaked on social media.
Last week, the exchange notified customers of the breach, adding the leaked information could be used to access Poloniex accounts, ZDNet reports.
The email was shared on Twitter by user charlysatoshi, who initially thought it was a phishing attempt. However, Poloniex support confirmed on the social media site that it was, in fact, a legitimate email.
This is a real email! Please reset your password for account security
— Poloniex Customer Support (@PoloSupport) December 30, 2019
The exchange has also claimed that most of the emails listed aren’t attached to Poloniex accounts.
“While almost all of the email addresses listed do not belong to Poloniex accounts, we are forcing a password reset on any email addresses that do have an account with us, including yours,” the email says.
As ZDNet points out, Poloniex emphasized that most of the email addresses in the leak aren’t connected to the exchange. On the same day of the email also published a tweet advising users how to set up two-factor authentication (2FA) on their accounts.
Steps to set up 2FA:
– Install an authenticator application on your phone
– Click 2FA in your Polo settings
– Scan the barcode or manually enter the 16 digit key
– Safely store your backup code & QR code in case your phone gets lost, stolen, or erasedTada! ?
— Poloniex Customer Support (@PoloSupport) December 30, 2019
It’s not entirely clear where the data leak has come from, who exactly was implicated in the breach, or if any accounts have been accessed by bad actors.
Hard Fork has contacted Poloniex for further comment on the extent of the breach, we will update this piece in due course
The lack of information might be a cause for concern for some Poloniex users. But it makes the enforced password change seem like a bit of a knee-jerk reaction, assuming it’s not trying to downplay the situation.
All things considered, if you’re a Poloniex user, it’s probably best to follow their advice. Turn on 2FA and change your password. Better safe than sorry.
Users are right to be weary of phishing attempts, though.
Back in 2018, Google’s Play Store featured a fake cryptocurrency trading app claiming to be for Poloniex. Thankfully, the app was removed soon after it was uncovered by security researchers.
Update January 3, 2020, 0727UTC: Poloniex has since issued a blog on the incident which can be found here. Despite the email stating that the exchange would be “forcing a password reset” it wanted to clarify that it did not force all customers to reset their passwords.
Get the TNW newsletter
Get the most important tech news in your inbox each week.