3Commas suffers API Key exploit, CEO confirms leak

Share IT

Key Takeaways

  • The hacker had obtained around 100,000 API keys belonging to 3Commas.
  • 3COMMAS CEO Confirmed the leak while urging Binance, Kucoin, and other supported exchanges to revoke all API keys that were connected to 3Commas.

On December 28, an anonymous person took to Twitter to allege that all of the crypto trading service 3Commas API keys had been leaked. Later, 3Commas CEO Yuriy Sorokin confirmed the leak in a tweet.

“We saw the hacker’s message and can confirm that the data in the files is true… We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation.” He added that “as an immediate action, we have asked that Kucoin, Binance and other exchanges revoke all API keys that were connected to 3Commas.” He further stated that no proof was found that the leak was an inside job.

Reportedly, the hacker had obtained around 100,000 API keys belonging to users of the crypto trading service 3Commas. The leaker published more than 10,000 of the keys on Wednesday while adding that the rest “will be published full [sic] randomly in the upcoming days.”

Sorokin’s public confirmation of the leak comes a day after Binance CEO Changpeng Zhao (CZ) put out a tweet stating that he is “reasonably sure” that API key leaks are taking place at 3Comma’s while urging people to disable their API keys immediately.

This is not the first time 3Commas has come under media scrutiny for their mishandling of API keys. Earlier this month, A group of traders claimed that over $22 million in crypto had been stolen through 3Comma’s compromised API keys.

In October 2022, then-FTX CEO Sam Bankman-Fried(SBF) paid out $6 million to FTX traders who were victims of a multimillion-dollar scam. He stated he was prepared to remunerate FTX users affected by a phishing exploit involving 3Commas while adding that the action should not be considered a precedent or company policy.

3Commas had then responded to the phishing attack by stating, “the API keys were not taken from 3Commas but from outside of the 3Commas platform.” 3Comma, instead of holding accountability, has always called the claims of API leaks or exploits—fake and spread by bad actors.

API is short for Application Programming Interface, allows you to connect with your exchange, giving you access to real-time market data, make trades, and manage your account.

Share IT
Saniya Raahath
Saniya Raahath

Get Daily Updates

Crypto News, NFTs and Market Updates

Claim Your Free Trading Guide

Sign up for newsletter below and get your free crypto trading guide.

Can’t find what you’re looking for? Type below and hit enter!