A cryptocurrency exchange has been forced to reset customer passwords after a suspected data leak via social media, although its incident response efforts caused more confusion among some users.
US-based exchange Poloniex informed around 1% of its customer base that they had to reset their log-ins, following a tweet claiming to contain a list of leaked email/password combos.The company released a statement in a blog: “Our immediate priority was to ensure that our customers’ accounts were safe. As a result, we reset the passwords of potentially impacted customers, as users often reuse passwords or minor variants of the same password,” it explained
“Our second priority was to determine the source of the leak and we can now confirm that neither this list, nor the information contained, originated from Poloniex. For those interested in our security protocols, we do not store passwords in plain text or a recoverable form, but rather we store them as salted bcrypt hashes.” In fact, 90% of the compromised passwords on that list have already appeared on breach notification site HaveIBeenPwned, it said.
Cryptocurrency exchange Poloniex issues password reset warning https://t.co/4fUmzeMqQT pic.twitter.com/ixIuUTiSo8
— Andres (@AndresCyberSec) January 5, 2020
Password reuse is one of the biggest security problem companies have today – so many users falsely assume that if they have a complicated or long password, that it’s safe to reuse it. Instead, hackers take advantage of repeated and reused passwords, and end up gaining access to critical identity systems. To avoid this, companies and consumers alike should be aware of the password reuse problem and do everything in their power to use unique passwords especially for sensitive apps.