The API keys of 100,000 users of the crypto trading service 3Commas had been leaked by an anonymous Twitter user. As a result, the revocation of the keys has been requested by 3Commas from Binance, Kucoin, and other supported exchanges.
It has been reported that 3Commas’ users have lost at least $6 million through the theft of their API keys which were used to execute trades on exchanges without their consent.
Initially, 3Commas told its users that their losses were caused by phishing attacks. However, more than 50 users came together on Telegram group chats and confirmed that their API keys were leaked rather than phishing attacks.
This leak included API keys generated on Binance and KuCoin, both of which allow users to set up trading bots on third-party crypto services. It has become clear that 3Commas users were exposed to a data breach, which allowed malicious actors to gain access to their API keys. This data breach was concerning because, with the access of users’ API keys, malicious actors were able to use bots to execute trades on users’ accounts.