Poloniex forces password reset after Twitter account info leak

Getting your Trinity Audio player ready...

Cryptocurrency exchange Poloniex is now requiring some users to reset their account passwords, following a massive data breach which saw customer information published on Twitter.

The embarrassing revelation surfaced in an email from Poloniex dated Dec. 30, in which the exchange said that a list of email addresses and passwords had been published on Twitter.

@Poloniex be careful with this Scam email we are getting in our emails #BTC #LTC #ETH #DASH #Crypto #Poloniex pic.twitter.com/untSVGfwAM

— Charly (@charlysicardo) December 30, 2019

The email confirmed the credentials could be used to login to active Poloniex accounts, opening up significant risks to users of the exchange. With login access, an opportunistic hacker could scam thousands from unsuspecting victims in a matter of minutes.

However, Poloniex stressed that not all the emails on the list correspond with Poloniex accounts, and in the case of those that do, users are being forced to manually reset their password on login.

Addressing its response to the breach, the exchange said on Twitter that they had already been in touch with affected users: “We promptly sent emails out to all affected users, requiring them to change their password.”

Yes, someone leaked a list of email addresses and passwords on Twitter. If your account was on the list, you would have been the first to know, well before any media publication. We promptly sent emails out to all affected users, requiring them to change their password.

— Poloniex Customer Support (@PoloSupport) December 30, 2019

The revelation is the latest major security risk to affect a significant cryptocurrency exchange. With hacking and cybercrime in crypto running at all-time highs, the publication of sensitive account data is only the most recent reminder of the risks involved in cryptocurrency speculation.

All the more damning is the recent decision from Poloniex to drop its KYC requirements, meaning users can now withdraw as much as $10,000 per day without having to verify their identity.

The lower threshold was established after the exchange pulled out of the U.S. market in October, as it spun off from parent company Circle.

The number of users affected, and the extent of any losses suffered by the breach remains uncertain. However, the breach will do little to inspire confidence in Poloniex users, with security still a major concern for crypto exchanges and users.

All Poloniex users are being urged to look out for the password reset email, and to reset their account information at the earliest opportunity.

While it is unclear who leaked the data to Twitter, the case underlines the need for exchanges to implement more effective measures for protecting user data.