A cryptocurrency exchange has been forced to reset customer passwords after a suspected data leak via social media, although its incident response efforts caused more confusion among some users.
US-based exchange Poloniex informed around 1% of its customer base that they had to reset their log-ins, following a tweet claiming to contain a list of leaked email/password combos.
However, customers took to Twitter warning that the email itself was a phishing scam, forcing the exchange to re-emphasize its legitimacy.
It followed-up with a blog post to clarify the situation.
“Our immediate priority was to ensure that our customers’ accounts were safe. As a result, we reset the passwords of potentially impacted customers, as users often reuse passwords or minor variants of the same password,” it explained.
“Our second priority was to determine the source of the leak and we can now confirm that neither this list, nor the information contained, originated from Poloniex. For those interested in our security protocols, we do not store passwords in plain text or a recoverable form, but rather we store them as salted bcrypt hashes.”
In fact, 90% of the compromised passwords on that list have already appeared on breach notification site HaveIBeenPwned?, it said.
“If you have a Poloniex account and did not receive an email from us related to this, you can be confident that your email address was not on the list,” the firm continued. “Less than 5% of the email addresses on the posted list were associated with Poloniex accounts.”
The incident highlights the increasing difficulty online firms are having to convince customers of the legitimacy of urgent communications, in light of a continued epidemic of phishing scams.
Following the collapse of UK travel agency Thomas Cook last year, UK banks were criticized for sending unsolicited text messages to affected customers containing clickable links.