stub 3Commas API Leak Highlights Yet Another Way to Lose Your Money - Securities.io
Connect with us

Digital Assets

3Commas API Leak Highlights Yet Another Way to Lose Your Money

mm
Updated on
Hooded Hacker

In today's digital age, it's more important than ever to be aware of the potential risks of online security breaches such as API leaks, as it can lead to the loss of personal information and financial data.

API leaks occur when a third-party accesses a company's API (Application Programming Interface) without permission. This can happen when a company's API is not properly secured, or when hackers are able to exploit a vulnerability in the system. And once a third party has access to a company's API, they can potentially access sensitive data, such as customer credit card information or account balances.

API leaks can have serious consequences for both companies and consumers. Companies can face hefty fines and damages if customer data is compromised, while consumers can suffer from financial fraud or identity theft. So, let’s take a deep dive to understand it better!

Understanding API Key

An API key is a unique identifier that is used to authenticate requests to an API (Application Programming Interface). It is a way for the API to identify the developer or system making the request and to ensure that only authorized requests are processed.

API keys are often used to track and control the usage of an API, and to ensure that the API is not being abused or overused. They are usually generated by the API provider, and are often accompanied by a secret key to authenticate the API key and ensure it is being used by an authorized source.

In order to use an API that requires an API key, the system must include the key in the requests that are made to the API. This is usually done by including the key in the request header or as a query parameter in the request URL.

There are two types of API keys: private and public. Private APIs are usually only accessible to a specific group of users or systems, and are often used to access sensitive or proprietary data or functionality. Public APIs, on the other hand, are often used to access data or functionality that is available to the general public. Public API keys are typically issued to any developer or system that wants to use the API.

How are they used in trading?

API keys are often used in trading to access a financial trading platform, such as a stock exchange or a cryptocurrency exchange.

They allow developers to build applications that can interact with crypto exchanges and execute trades on behalf of the user. They then can be used to view account information, retrieve real-time market data, place orders, and manage positions, among other things.

The idea is that humans don’t have to do the hard work of thinking or executing their trades. Instead, it's all done instantly and automatically via code. But that is until the wrong people get access to the APIs, as it is all they need to wreak havoc.

After all, API keys are typically generated by the exchange, and the user must provide the key to the trading software in order to access the API.

Dangers of Using API Keys in Trading

While API keys can be very convenient, they can also pose a security risk. For instance, if an API key is compromised, it can be used to gain unauthorized access to an account or to execute trades on behalf of the user and siphon off funds.

Also, if the key is used to access sensitive financial information, such as account balances or trade history, it could be used to defraud you or commit other crimes.

Moreover, API leaks are often difficult to detect, as they often occur within the code of an application or service, rather than in the database or server. As such, they can go undetected for quite some time.

3Commas API Leak

Just last week, it has been speculated that millions of dollars worth of crypto had been stolen through compromised API keys from the Estonia-based trading platform 3Commas, which was backed by Sam Bankman-Fried’s Alameda Research. This week, the company admitted that it was the source of the API leak.

3Commas’ announcement came after an anonymous Twitter user obtained around 100,000 API keys belonging to the trading software provider’s users and published over 10,000 of the keys online and saying the rest “will be published full [sic] randomly in the upcoming days.”

Since then, 3Commas has asked supported crypto exchanges like Binance, Kucoin, and others to revoke all the API keys that were connected to the trading platform.

The leak comes after dozens of 3Commas users claimed that their API keys were used to execute trades on exchanges such as KuCoin and Coinbase without their consent. The platform confirmed that users lost at least $6 million to attackers starting in October, but that sum has doubled in recent weeks.

Initially, 3Commas had insisted that there was no security issue on its end and that a phishing attack caused users to give up their data. But the data dump shows that users’ credentials were leaked rather than phished.

3Commas is a popular cryptocurrency trading bot that enables users to automate their trading on third-party exchanges. The app uses API keys to access users' accounts on the exchanges, and it appears that the API keys included in this week's leak were generated on Binance and KuCoin.

According to blockchain sleuth @ZachXBT a group of 44 victims has lost a total of $14.8 million through API keys stolen from 3Commas. At the time, 3Commas CEO Yuri Sorokin argued that if the leaked API keys had been from 3Commas, “you would've seen millions of cases, not a hundred.”

There are more than 1 million keys connected to 3Commas but only ~100 users reported issues with their accounts, Sorokin added. This week, users blasted 3Commas for blaming its own users instead of taking responsibility and focusing on preventing further exploits.

Before 3Commas’ statement came this week, Binance CEO Changpeng Zhao cautioned users, saying: “I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.”

3Commas is now encouraging users to generate new API codes out of precaution. Moreover, they have also updated the app to make future phishing scams more difficult to pull off.

Meanwhile, 3Commas’ legal team said in a statement that the firm was in the process of hiring outside experts to review its code and settle things definitively for users.

“Only a miniscule fraction of users reported abnormal activity to 3Commas. 99.9% of the API keys stored in 3Commas database have not been impacted by the attacks,” the legal team added.

Protective Measures

In today's world, protecting your API is more important than ever, due to the direct access it provides to applications and data. You cannot simply say your API is safe today. API security is needed now more than ever.

Not securing an API correctly could get you into a lot of trouble. So, be sure to only do business with reputable companies, and never share your sensitive data with anyone unless you're absolutely sure it's safe to do so.

Another way to protect against API leaks is to keep your applications and services up-to-date and have a plan for updating it on a regular basis. This way, you can ensure that any new vulnerabilities are patched as soon as possible. Additionally, you should consider using a web application firewall (WAF) to help block malicious requests.

Always keep your API Key safe and secure, and never store it in a place where it could be easily compromised. It's important to change your API keys regularly and not share them with anyone either, not even those you trust. If you must share them, make sure to do so using a secure method such as a password-protected file.

If you ever suspect that your API Key has been compromised, immediately change it and notify your exchange. To further protect yourself from these risks, it is important to change your passwords regularly and never use the same password for multiple accounts. By taking these precautions, you can help to keep your account safe and secure.

Final Word

API leaks are nothing new. In fact, they've been around for quite some time. And while they may not be the most common form of a data leak, they can still be quite damaging. This is because, unlike other types of data leaks, API leaks can give attackers direct access to your most sensitive data.

While not the only way to lose money, it is certainly a major concern. So, it is important to use API keys in trading responsibly, to be aware of the potential risks and limitations of using them, and be sure to take the necessary precautions to protect your money and your information.

Related Topics:
mm

Gaurav started trading cryptocurrencies in 2017 and has fallen in love with the crypto space ever since. His interest in everything crypto turned him into a writer specializing in cryptocurrencies and blockchain. Soon he found himself working with crypto companies and media outlets. He is also a big-time Batman fan.