CoinMarketCap is a website that tracks the price movement of cryptocurrency. Binance Capital Management, which runs cryptocurrency exchanges, acquired CoinMarketCap in April 2020.

The data is only email addresses and does not contain password hashes or other information. The data had been posted as far back as August on a well-known data breach forum. It surfaced again on that same forum earlier this month.

This post on a data breach forum on Aug. 12 mentions 3.1 million CoinMarketCap email addresses.

Advertisements

“Ran a comprehensive security check, and there is no trace of any security breach of our servers.”

“We believe that a bad actors took a list of leaked emails and compared it with other batches of leaked data.This is how the list of emails that claims to be from CoinMarketCap looks real it’s because it’s a ‘cleaned’ email dataset from the Dark Web that has occurred in previous leaked email sets totally unrelated to CoinMarketCap,”.

Regardless of where the list originates, having an accurate, long list of people who are interested in cryptocurrency is very useful for attackers for phishing attempts. Given that this data appears to have been circulating for at least two months, that’s likely already been occurring.

CoinMarketCap, did not say if the email list correlates 100% with accounts on its platform. But it did say in a previous statement that it has “found a correlation with our subscriber base.”

The email addresses have been entered into Have I Been Pwned, the data breach notification service created by Troy Hunt. Notifcations have been sent out to 50,000 people who are in the CoinMarketCap data and are subscribers of Have I Been Pwned.

Advertisements

Hunt says he contacted some of the people the data, and all confirmed they had CoinMarketCap accounts. Also, after the 50,000 notifications were sent, no one responded by saying they did not have a CoinMarketCap account, which sometimes occurs if there is misattribution, Hunt says.

Although CoinMarketCap maintains the list didn’t come from its systems, attackers often look for enumeration vectors, or weaknesses in systems that give away information, such as if an account exists. Sometimes those enumeration weaknesses are in password reset functionality or in registration procedures, which may signal if an email address that’s used as a username exists.

Hunt tweeted on Sunday that CoinMarketCap presents aggressive CAPTCHAs when trying to reset a password, a sign that “they’ve really ramped up the anti-enumeration defences.”