API key leak security incident FAQ

What is the API keys disclosure incident?
On December 28th, 2022 it was brought to our attention that a group of bad actors had posted sample files containing 100k 3Commas customers’ API keys. At this moment we are actively investigating the incident, and are taking all necessary steps to contain the situation and prevent any future disclosure incidents.

How did this happen?

We have been targeted by criminal hackers who have, it appears, somehow obtained access to part of our database.  We have hired a cyber security expert to help us establish how this crime was achieved.  At present, that investigation is ongoing and we do not know how the criminals got through the barriers.

Who is behind this?

We don’t know yet. But we are working with experts and law enforcement agencies to identify the criminals involved in this attack. We will keep you posted.

What information do the hackers have?

We do not know the full extent of their intrusion at present and this forms part of the investigation. What we know for sure is that at least 100k Binance and Kucoin API keys and secrets have been exposed.

What do you make of the fact that the hackers say they did this to teach you a lesson for bad security?

This is clearly no white hat hacking.  This is a criminal attack from an organization that is doing it for financial gain.  No matter how the hackers wish to portray this, this is a crime for which there are consequences.

When did the intrusion happen?

Based on the sample data published by the attackers, we believe it took place in October/November time frame.

Given that it is now January, why have you been so reticent to communicate about this properly? 

We did not know about the attack on our infrastructure before the public statement by the attackers on Dec 28. All the information we had available told us it was not coming from us. Now, when it became evident that our database had been exposed, we immediately took action to address the intrusion. We contacted the exchanges to revoke all API keys, launched a new investigation, and contacted law enforcement. Our previous assumptions were wrong. We promise we will continue to communicate openly and honestly with our community via our blog and social media channels and share as much information as we can.

How much money have the hackers taken?

We will make this public once the investigation is complete.

Will you be compensating your users who have lost out because of the security incident?

We are investigating how this crime was perpetrated.  We had strong security systems and protocols in place and yet it appears that the hackers were able to overcome these, as they have with many other organizations.  We will have more to say once that investigation concludes.

So will you be compensating users?

We cannot address that until the investigation concludes.

I suspect malicious activities in my account, what should I do?

If you suspect your funds and/or account are impacted by this situation, we would like to get in touch with you. Please reach out to us via our support chat to open a case.

I have reached out to 3Commas customer support and am waiting for a response, what can I do?

Due to the API disclosure incident our support team is experiencing unusually high loads of incoming requests. You can expect some delays in our response, but rest assured, we are working around the clock to get back to you ASAP.

Is 3Commas safe to use?

We are confident that the changes made by 3Commas, with the introduction of the Sign Center that isolates at both infrastructure and access levels, will ensure the security of our system.  But in addition, we are expanding the IP whitelisting functionality to allow users greater control of their security choices. You can follow the status on extra security layers for the exchanges here.

What is a Sign Center?

Sign Centre is a secure API keys storage that is isolated at both infrastructure and access levels to ensure the security of our systems. When 3Commas makes a trade request with an exchange, 3Commas servers ask the Sign Center to sign a transaction that needs to be executed, very similar to how you would have Metamask or Ledger sign a transaction. As of today, most of the exchanges have been transferred to the Sign Centre already. Please see our exchange security layer table for the latest updates.

What should I do to protect myself?

We have created a special page showing extra security layers for each of the exchanges and the steps that you can take to secure your API keys. Please check the page to see whether your API keys have been revoked by the exchange. If they haven’t, we ask you to re-issue your keys immediately. Check out the security page here.