Binance CEO Changpeng Zhao says he is “pretty sure” that the API keys of trading bot platform 3Commas have been leaked. A representative of 3Commas has since confirmed that the company received a message from a hacker and that the leaked data is real.
I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.
Stay #SAFU.
— CZ 🔶 Binance (@cz_binance) December 28, 2022
Remove immediately
Zhao’s message is therefore to warn people to remove the keys in question as soon as possible. “If you ever put an API key in 3Commas (from any exchange), delete it immediately. Stay safe,” Zhao said of the vulnerability.
If your keys are connected to 3Commas, then it is possible for the hackers to control your funds. In principle, they cannot steal assets directly, but indirectly they can. By first buying tokens with your own wallets that have almost no volume and then selling them to you for much higher prices.
That’s the dangerous thing about sharing API keys on a platform like Binance. It sounds like a safe and cool idea, until the platform behind the trading bot gets hacked. That is now the case, so that the keys of a lot of people are no longer safe. Hopefully the damage is minor.
Investigation started
3Commas is investigating and found out earlier that API keys from the already fallen FTX were used for unauthorized trades. The 3Commas team was already made aware of this on October 20. At that time, they indicated that the keys had not been leaked through 3Commas itself, but probably through a third party.
I strongly believe @tier10k is correct here, not 3comma’s official response (BS). https://t.co/gV4DxVfxUZ
— CZ 🔶 Binance (@cz_binance) December 28, 2022
Now 3Commas itself also confirms that the keys have been leaked. “In order to take immediate action, we have asked Binance, KuCoin and other exchanges to revoke all keys associated with 3Commas,” a representative said:
3Commas Statement:
1) We have seen the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin and other supported exchanges revoke all keys that were connected to 3Commas. pic.twitter.com/ZMuzCqeF1j
— 3Commas (@3commas_io) December 28, 2022
“Only a small portion of the technical staff had access to the infrastructure and after November 16, we have already taken steps to completely block that access. New security measures have been implemented since then and it won’t stop there. We have launched a full investigation.”