3Commas, a cryptocurrency trading platform, has said it was the victim of a data breach that resulted in API information being stolen.

An unnamed threat actor published 3Commas’ API database on Pastebin on December 28, according to the release.

According to the company’s official statement, “at this moment, 3Commas can regretfully confirm that some of 3Commas’ users’ API data (API keys, secrets, and passphrases) have been revealed by a third party,” the database is real and contains genuine information.

Theft of funds

While 3Commas has only seen API data revealed so far, they do not rule out the prospect of more data being acquired in the future. It warns that the API information might have been used by the hackers to link your exchange accounts to their own and make unlawful transactions.

The firm has informed its subscribers through email and a blog post, saying it has taken measures to secure their cash and has notified the FBI of the situation.

Ten thousand API keys were exposed, which is just 10% of the total database size of 100,000. The 3Commas bots often utilise these keys to trade automatically on cryptocurrency exchanges without any human intervention.

In light of this development, 3Commas has requested that all of its supported exchanges, which include some of the most prominent marketplaces including as Binance, Coinbase, and Kucoin, disable access to the service by removing any associated API keys. The organisation further suggested that consumers reissue keys on all associated devices (opens in new tab).

After doing more research into the breach, the firm determined that it was not an inside job: “Only a limited number of technical staff had access to the infrastructure, and we have taken actions since November 19 to terminate their access,” the company said in a Twitter post.

“Since then, we have introduced additional security measures and we will not stop there; we are conducting a complete investigation in which law enforcement will be engaged,” the business said.

Nonetheless, the harm has been done. Since November, threat actors have apparently been using exposed API keys to steal almost $6 million worth of cryptocurrency.