Poloniex users are forced to reset the passwords following a data leak on Twitter.
A list of alleged username and passwords of Poloniex users were found circulating on Twitter.
On December 30, 2019, Poloniex users began receiving a message from the Poloniex exchange stating them of the data leak.
“While almost all of the email addresses listed do not belong to Poloniex accounts, we are forcing a password resets on any email addresses that do have an account with us including yours,” states the email.
The users were unclear if this was a scam or a fake email from Poloniex due to the lack of information in the email.
This left the Poloniex in trouble, and soon the official support account for Poloniex on Twitter tweeted that the email was legitimate and that users should reset their passwords.
“Earlier this week we emailed a small group of our customers (about 1% of our total base), requiring them to reset their Poloniex password in response to a tweet claiming to contain a list of leaked email addresses and passwords,” the exchange said.
Poloniex emphasised that the passwords are not stored in plain text or a recoverable form, but rather stored as salted crypt hashes.
Passwords must be changed immediately in order to prevent credential stuffing attack.
“A credential stuffing attack is when attackers compile usernames and passwords that were leaked from different company’s data breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site,” stated Bleeping computer.
You may be interested in reading: ASP.NET Hit by Ransomware