Coinmama User Data Breached

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Coinmama

The CoinMama cryptocurrency-trading platform had stored information on 450,000 customers breached, including login and hashed password data for any users registered prior to August 2017. The hackers apparently were selling the information, including 70,000 cracked passwords, online for bitcoin. CoinMama issued a notice to all affected users and prompted them to change their passwords.

This exchange or platform is based in Ireland, or the incident targeted people primarily in Ireland.^{[1][2][3][4][5][6][7][8][9][10]}

About Coinmama

"Coinmama provides a cryptocurrency exchange platform for trading digital currency globally." "We’re Coinmama, a financial service that makes it fast, safe and fun to buy digital currency, anywhere in the world. We believe that the future of money is one where we, the people, are in control of our own economy. A future where there’s no place for middle-men, hidden fees and fine print."

"To deliver on that promise, we have come to work every day since 2013 to create the simplest financial service out there - spoken in a language you can understand, and backed by customer service you can count on."

"As a financial service, Coinmama is committed to the highest security and privacy standards. This also helps us keep your account safe, fight fraud, and more."

"Coinmama platform is operated by Cmama Ltd., 3 Ballsbridge Park, Ballsbridge, Dublin, Ireland, D04 C7H2, a daughter company of New Bit Ventures Ltd company #514907880 (which owns the Coinmama brand and platform). Cmama Ltd. is a regulated entity registered as Money Service Businesses with FinCEN (#31000172638926). Transactions are carried out with Cmama Ltd. and processed by New Bit Ventures Ltd."

"Israeli crypto brokerage Coinmama announced on Feb. 15 that 450,000 users’ data was breached, in part of a massive cyberattack that targeted 24 companies." "The Slovakia-registered exchange announced that a list of emails and hashed passwords belonging to Coinmama users were discovered on a dark web marketplace."

“Today, February 15, 2019 Coinmama was informed of a list of emails and hashed passwords that were posted on a dark web registry. Our Security Team is investigating, and based on the information at hand, we believe the intrusion is limited to about 450,000 email addresses and hashed passwords of users who registered until August 5th, 2017. This comes as part of a larger breach affecting 30 companies and a total of 841 million user records,” Coinmama said in an official post.

"This list included details related to 450,000 users who had registered their accounts before August 5, 2017, Coinmama confirmed." "Coinmama says a list of around “450,000 email addresses and hashed passwords” of users who registered on its platform before Aug. 5, 2017 have been posted on a dark web registry."

“As of February 15, 2019, there has been no evidence of this data being used by perpetrators. Given the dated nature of the published data, we have no reason to suspect that any other Coinmama systems are compromised. Coinmama does not store credit card information.” "The Coinmama-related data is currently being offered by the hacker for 0.351 Bitcoin (US $1358), with the promise of as many as 70,000 cracked passwords."

"Coinmama claims the breach was part of a wider hack affecting companies such as MyFitnessPal, Houzz, and dating app Coffee Meets Bagel." "The breach is reportedly part of a mammoth, multi-platform hack that affected 24 companies and a total of 747 million records — among them gaming, travel booking and streaming sites." "According to TechCrunch, most sites affected used the open source PostgreSQL database software. It’s thought that an attacker might be using the same exploit in order to gain access to backend databases."

“There are many factors that need to be taken into consideration when securing a database system that go beyond the database software. We have often found that data breaches into a PostgreSQL database involve an indirect attack vector, such as a flaw in an application accessing PostgreSQL or a suboptimal policy around data management,” said Jonathan Katz. “When it comes to vulnerabilities, the PostgreSQL community has a dedicated security team that evaluates and fixes issues and, in the spirit of open source collaboration, transparently reports on and educates our users about them.”

"The hacker, whose identity isn’t known, began listing user data from several major websites — including MyFitnessPal, 500px and Coffee Meets Bagel, and more recently Houzz and Roll20 — earlier this week. This weekend, the hacker added a third round of data breaches — another eight sites, amounting to another 91 million user records — to their dark web marketplace."

"Coinmama established an Incident Response Team to identify the nature of the intrusion. The company also took additional security measures to thwart further loss and notified the affected users to reset their passwords upon next login and urged all other users to verify that their passwords are unique and strong."

"Aside from immediately notifying users, Coinmama says its response team is requiring all potentially affected users to reset their passwords upon login, as well as monitoring its array of systems for suspicious activity or unauthorized access. The platform says it is working to enhance its safeguards and track any external signals that the compromised data is being used."

This exchange or platform is based in Ireland, or the incident targeted people primarily in Ireland.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References