The Poloniex cryptocurrency trading platform has reset some of their user’s passwords after a list of alleged username and password combinations was found disclosed on Twitter.
On December 30th, 2019, some of the users received an email from Poloniex stating about the possibility of their account user name and password being included in a data leak circulating on Twitter.
This email also reads that some of the email addresses in the leak did not contain legitimate Poloniex accounts. But just to be safe the trading platform is forcing a password reset on any email addresses that have an account with them.
Since the email did not have all the necessary information, some of the users were not sure if this was a scam or a fake email from Poloniex.
Soon after that, a tweet from Poloniex’s official support Twitter account stated that the email was legitimate and that users must reset their passwords.
It is unclear how this list of accounts was created, and it is believed that it might be compiled via credential stuffing attacks using accounts leaked in other data breaches. Poloniex themselves do not know the source of the data.
Those users who have received email from Poloniex are recommended to reset their passwords to be on the safer side.
Those users who use the same username and password at other sites are also strongly suggested to change their password at these other sites as well to prevent credential stuffing attacks.
Credential stuffing attack occurs when the attackers use the usernames and passwords that were leaked from different company’s data breaches and use those credentials to attain access to accounts at other sites. This type of attack works on those users who use the same password on different sites.
To avoid this type of attack, make sure to use unique passwords for each site. One can also make use of a password manager for to remember strong and unique passwords.