Binance CEO “Reasonably Sure” About API Key Leakage on 3Commas

The Chief Executive Officer (CEO) of Binance, Changpeng Zhao cautioned the crypto Twitter community and instructed them to disable the API (Application Programming Interface) keys stored in 3Commas. Zhao made the warning call as he was reasonably sure that there was an API key leakage from 3Commas.

I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.

Stay #SAFU.

— CZ ? Binance (@cz_binance) December 28, 2022

Similarly, ZachXBT, an on-chain sleuth, tweeted that an account had sent him a database of API keys of 3Commas users. Later on, the investigator proclaimed that he verified the validity of the information and then passed on the word to all the exchanges.

1/ Six hours ago an account messaged me and sent over a db with api keys of 3Commas users. I began working to verify its validity and quickly shared the info with exchanges. pic.twitter.com/MBKatUyzBE

— ZachXBT (@zachxbt) December 28, 2022

Interestingly, ZachXBT stated that although he had access to a million dollars via the leaked API key, the sleuth refrained from any illicit activity as he wanted to teach the community a soft lesson and not a hard one ⸺ of not to trust 3Commas.

Meanwhile, 3Commas aired its view about the API leakage. In a tweet, it stated:

We have seen the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin, and other supported exchanges revoke all keys that were connected to 3Commas.

Moreover, 3Commas tweeted that it made an internal investigation to see if this was a possible inside job, however, it found no evidence of it. Furthermore, it stated, “Only a small number of technical employees had access to the infrastructure and we have taken steps since November 19 to remove their access.”

3Commas stated that they have implemented new security measures and they pledged that they will not stop there, but will launch a full investigation in which law enforcement will be involved.

Source