3Commas, a crypto trading platform admits a massive API key leak

Yesterday, an anonymous Twitter user posted a list of 10,000 API keys that he allegedly received from 3Commas’ cryptocurrency trading platform.

These API keys are used by 3Commas Bots to make profit for customers. They interact with crypto trading exchanges and do not require account credentials to execute automated trading and investment actions.

According to Twitter, the set leaked is only 10% of their 100,000 API keys. They plan on publishing them all within the next few days.

3Commas examined the data leak and found that they contain valid API keys. 3Commas has now asked all exchanges supported, such as Kucoin and Coinbase to remove all 3Commas keys.

It is recommended that users reissue keys to all exchanges linked by them and to contact 3Commas support for advice regarding subsequent actions.

The platform also claims that it investigated the possibility that the leak could be an inside job, but has not found any evidence.

The states that only a few technical staff had access to the infrastructure. They have since taken steps to remove them access.

The company stated that they have been implementing new security measures since then and will continue to do so. They are also launching an investigation, in which law enforcement may be involved.

3Commas did not take the time to verify the breach. Many of their users lost money over the last few months due to unauthorized trades that were made from their accounts.

Previous denial

3Commas was the first to report unauthorized transactions. These reports culminated in recent week.

Holders of large amounts of cryptocurrency reported losing approximately when 3Commas leaked their credentials.

The trading platform denied any possibility that there was a breach at this point, suggesting users reporting these problems must have been victims to phishing attacks, or unofficial trojanized applications.

After several reports regarding unauthorized transactions with leaked API keys and subsequent investigations, 3Commas released an on December 10, 2022. They claimed that there was no evidence to support a compromise of their system.

Next day, the platform posted a post to regarding its employees siphoning user assets by stealing API keys.

3Commas customers who reported unauthorized transactions to the company were rejected by them are .

3Commas did not make any comment about possible compensation at the time this article was published. BleepingComputer reached out to the company in order to clarify this matter and is currently waiting for an answer.