Announcement: Security breach

Dear Crypkit testers and users,

unfortunately we have some serious news. We have been hacked couple of days ago and 2 accounts seem to have lost some funds.

What happened?

  • Despite our robust security efforts, it seems that Crypkit database have been compromised. We are investigating to find out exactly what vulnerability has been exploited and what exact data leak has occured.
  • Please note it is impossible to lose your crypto funds in case you insert “read only” API key to Crypkit. Issue of losing funds can only happen in case of (incorrect) insertion of API keys that have trading rights. So despite the vulnerability and breach of some of our data none but 2 of Crypkit users have lost funds because it is impossible to be hacked via “read-only” API.
  • Trading enabled API doesn’t let attacker withdraw funds, but it enabled him to place many trades, which are against the benefit of account holder. Attacker can then act as a counter party in those trades and profit from them.
  • One of the accounts affected is one of our users with whom we are in contact.
  • Second account affected is one of our own, where we have (while testing advanced features) added trading rights to one of the API keys. So whilst it is sad we lost some money too we are grateful this mistake happened to us and not to another one of our customers.
  • Both affected accounts belong to Binance exchange.

We would therefore like to remind you to not use any exchange API keys that have trading or withdrawal rights.

We urge every single one of our clients to double check their accounts if their APIs used in Crypkit (especially Binance) are set to “read only” and unable to trade nor withdraw any funds. If API can not be set to “read only” we recommend to switch it off completely and use Manual Entries instead.

Until we make sure everything is safe, Crypkit has been disconnected from all the crypto exchanges. We are currently analysing the situation.

If you are concerned about your API keys, disable them immediately and check your balances on all your exchanges.

Next steps

  • We have already sent an e-mail to our users explaining what happened and what precautions should they take.
  • We are investigating the exact details of the data breach. And we will proactively communicate with everyone affected.
  • We will intensify warnings to our customers to only use “read only” API keys. We try to do our best to emphasize to everyone to only use read only APIs but mistakes naturally happen and we need to do better to proactively warn customers about this.
  • Despite the fact that security of our database have been a major focus point so far, we will increase our security and anti-penetration measures even further to prevent such a data breach from reocurring.
  • Crypkit will be down for maintenance, until we fix every vulnerability we can find (est. until 15th of January).

If you inserted any API keys into Crypkit, we advise you to:

1. Reset all API keys.
2. Set all your API keys to read only.
3. Restrict your API keys to your IP address only (if possible).

We are actively communicating with Binance and law enforcement to put attacker to justice and possibly retrieve stolen funds. We will let you know once we have any new information.

If you have any question, please contact us on info@crypkit.com.

We sincerely apologize for any inconvenience.

Best regards and Happy New Year!
Crypkit Team

Leave a Reply