Crypto exchange Poloniex denies data leak after resetting passwords for some users

Poloniex said Thursday that account information circulating on social media did not originate from the cryptocurrency exchange.

On Monday, Poloniex contacted some of its users after a tweet circulated featuring a list of email addresses and passwords and claiming that the information could be used to log into Poloniex accounts. In response, the exchange emailed all potentially impacted users and informed them of a forced password reset on their accounts. 

"Earlier this week we emailed a small group of our customers (about 1% of our total base), requiring them to reset their Poloniex password in response to a tweet claiming to contain a list of leaked email addresses and passwords," the exchange said in its statement. "To confirm, there was no information or data leak originating from Poloniex and our actions represented a swift response to an external threat."


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

In its new statement, Poloniex said that "our investigation has concluded that approximately 90% of the passwords listed already appear in the list of exploited passwords. Additionally, our security team is in touch with and has requested that they update their database to include additional missing information we have identified."

Poloniex emphasized that it does not store user' passwords in plain text or any recoverable form. Rather, it stores them as salted bcrypt hashes.

Additionally, Poloniex stated that "[l]ess than 5% of the email addresses on the posted list were associated with Poloniex accounts."

About Author

Yilun joined The Block in November 2019. She has a policy background and extensive experience in reporting and writing. She has worked on stories ranging