Addressing Our December 29, 2019 Password Reset Email
Earlier this week we emailed a small group of our customers (about 1% of our total base), requiring them to reset their Poloniex password in response to a tweet claiming to contain a list of leaked email addresses and passwords. To confirm, there was no information or data leak originating from Poloniex and our actions represented a swift response to an external threat.
Our immediate priority was to ensure that our customers’ accounts were safe. As a result, we reset the passwords of potentially impacted customers, as users often reuse passwords or minor variants of the same password. Our second priority was to determine the source of the leak and we can now confirm that neither this list, nor the information contained, originated from Poloniex. For those interested in our security protocols, we do not store passwords in plain text or a recoverable form, but rather we store them as salted bcrypt hashes.
Specifically, our investigation has concluded that approximately 90% of the passwords listed already appear in the haveibeenpwned.com list of exploited passwords. Additionally, our security team is in touch with haveibeenpwned.com and has requested that they update their database to include additional missing information we have identified.
If you have a Poloniex account and did not receive an email from us related to this, you can be confident that your email address was not on the list. Less than 5% of the email addresses on the posted list were associated with Poloniex accounts.
Below is the email that customers received.
Hi Poloniex Customer,
A couple of hours ago we discovered that someone leaked a list of email addresses and passwords on Twitter, claiming the information could be used to log in to Poloniex accounts. While almost all of the email addresses listed do not belong to Poloniex accounts, we are forcing a password reset on any email addresses listed that do have an account with us, including yours.
We take the security of customer information very seriously and never store passwords or other sensitive information in plain text (for the technically inclined, we store a salted bcrypt hash). Therefore, we cannot confirm if the password listed with your email address is the password you use on Poloniex. As a security precaution, we have forced a reset of your Poloniex password and recommend changing your password on any other site where you may have reused login information.
For details on how to reset your Poloniex password, please visit our Help Center article here. We recommend selecting a unique, secure password and enabling two-factor authentication (2FA) on your account if it is not currently enabled. Please find instructions on how to enable 2FA in this Help Center article.
Thank you for being a Poloniex customer and helping us to maintain the security of your account. If you have any questions, please reply to this email and we will be happy to walk you through any of these steps.
