3Commas Security Update

Security Alert for 3Commas Users

23 October. 16:00 GMT Update

Dear 3Commas community, I have a quick update as more information has come in over the course of this weekend.

On the 20th of October, the 3Commas team was alerted to an unauthorized trading incident involving the use of a partner exchange’s API keys stolen from 3Commas users. The theft occurred outside of the 3Commas system, via a phishing attack conducted on inauthentic websites mocked up to resemble the 3Commas interface. There have been no breaches of either 3Commas' account security and API encryption systems, nor the account security and API encryption systems of our partner exchanges. 

Only three users claim to have been affected at this time. There are a number of individuals on social media channels claiming to be victims of this phishing attack who we have verified are not 3Commas customers. They are making claims that are factually inaccurate and confusing to users.

3Commas, in cooperation with our partner exchanges, is conducting an investigation of this incident to ensure our user community remains protected and feels safe to trade. We are working directly with the three individuals who claim to have been affected so that we can ascertain more details regarding how they stored their API keys and other sensitive data. 

I'd like to reiterate that phishing attacks are heavily prevalent anywhere transfers or trades of currencies happen. While 3Commas is doing everything possible to support our users, and our systems remain secure, I'm urging you to review the account security protocols outlined at the bottom of this post so that you can significantly reduce your odds of falling victim to these predators.

Here are the facts as of October 23, 2022 at 16:00 GMT

• There have been no breaches of 3Commas' or any partner exchange’s account security databases, and no encryption protocols have been compromised. 
• No API keys have been leaked from 3Commas or partner exchanges. 
• The API keys used in this attack came from phishing attacks utilizing websites that replicated the 3Commas interface and captured users’ API keys when they attempted to connect their exchange accounts. 
• These stolen API keys were used to place unauthorized trades using DMG cryptocurrency trading pairs on a partner exchange. 
• 3Commas has cooperated with partner exchanges to identify accounts with suspicious activity and disabled API keys that may have been compromised from the user’s side. 
• There are three 3Commas users who claim to have been affected by this situation. We are in contact with them to provide support and discover exactly how their API keys were stolen. 

If you believe you may have been a victim of this phishing scheme, 3Commas is ready to help you with all the tools at our disposal. Please reach out to our support team [email protected] and also follow the steps outlined at the bottom of this post to renew your API keys with your exchanges and change your passwords.

21 October. 16:00 GMT

Dear 3Commas Community,

On the 20th of October, the 3Commas team was alerted to an incident that occurred where a number of partner exchange API keys connected to 3Commas and used to perform unauthorized trades for DMG cryptocurrency trading pairs on partner exchange accounts.

As further information has come in, 3Commas has been informed that traders who have never used 3Commas were also affected by what appears to be a 3rd party phishing or hacking attack of some kind.

During a collaborative investigation conducted by 3Commas and our partner exchanges, a number of API keys were found to be linked to new 3Commas accounts that were created and used for the first time to perform unauthorized trades for the DMG trading pairs on the partner exchange. The API keys were not taken from 3Commas but from outside of the 3Commas platform.

Our team widened the investigation and found several fake 3Commas websites that were used to "phish" 3Commas users by replicating the design of the 3Commas web interface and captured API keys from 3Commas users that had accidentally used the fake website to try and connect their exchange accounts.

The API keys were then stored by the fake website and later used to place the unauthorized trades on the DMG trading pairs on the partner exchange.

Due to the scale and sophistication of the attack we also suspect that 3rd party browser extensions or malware may also have been used.

As a precaution, the partner exchange and 3Commas have identified accounts that had possible suspicious activity and disabled the API keys which may have been compromised.

If you have an exchange account connected to 3Commas and it is saying the API is "invalid" or "requires updating", then it is possible your API details were compromised and the API key has been deleted by the partner exchange. We urge you to create new API keys on that exchange and update your linked exchange accounts in 3Commas using the guide below to ensure any trades or deals you have active will be unaffected.

As a reminder, it is imperative that you keep your accounts secure:

• Always use 2FA on your 3Commas, crypto exchange, and any financial services accounts - How to enable 2FA
• Do not share or save any passwords or API keys and Secrets; do not store these on cloud enabled services
• Do not rely on search engines to take you to official log-in pages; type the address directly into your browser address bar and bookmark it for easy access
• Regularly run virus and malware scans on your devices that are used to access crypto and financial services

Always check the address to ensure the page is authentic.

Click here for other useful tips for maintaining account security.