Dilation Effect Research: A Deep Dive into Mainstream Exchange Account Password Leaks
This article is jointly published by Dilation Effect and WuBlockchain. Evaluating the security measures of cryptocurrency exchanges is a complex task, as gaining insights into the specifics of their internal security investments can be challenging. Dilation Effect has previously conducted an analysis focusing on smart contract approval, a unique dimension, to scrutinize wallet addresses of top industry exchanges and institutions. This time, we approach the issue from both the attacker’s and the user’s perspectives to analyze the security mechanisms of mainstream exchange accounts, as these directly impact the safety of user funds. I. Password Leaks in Mainstream Exchange Accounts We attempted to filter domain names associated with mainstream exchanges using publicly available data breach search websites. Our data sources included the dark web, file-sharing platforms, and historical datasets of leaked account information. It’s worth noting that malicious actors also undertake similar actions. We initiated our investigation with Binance.com and were alarmed to discover over 8,000 plaintext records containing usernames and passwords! Here are some excerpts for illustration: Randomly selecting samples from this data, we attempted to log in and found that numerous account-password pairs were entirely accurate. Some attempts even advanced directly to the two-factor authentication (2FA) stage, as demonstrated by the following example for the account mar*@gmail.com: If a user’s email account uses the same credentials as their exchange login email, attackers can effortlessly acquire the email verification code needed for 2FA, gaining access to the user’s Binance account. This revelation is startling. It’s important to emphasize that our verification attempts concluded at this point, with no further actions taken. Dilation Effect conducted preliminary statistics on password leaks for over ten mainstream exchanges, each yielding thousands of records. The magnitude is outlined in the table below: The scale of the issue is indeed disconcerting. Due to time constraints, Dilation Effect did not individually verify the accuracy of each leaked account-password pair. However, through random sampling, we discovered that every exchange’s leaked account-password data contained correct entries. We estimate that the initial accuracy rate falls within the range of approximately 10% to 20%. It’s crucial to note that account and password leaks, in isolation, do not automatically result in financial losses for users. Cryptocurrency exchanges typically offer additional layers of security, such as 2FA mechanisms. Nevertheless, users remain at risk if they have not configured their security settings adequately. For instance, if users exclusively rely on email verification for authentication or if their other authentication factors are compromised. Next, we delve into the security strength of common 2FA authentication mechanisms. II. Security Comparison of Common 2FA Mechanisms Let’s begin with an overview of the security levels associated with various 2FA factors: Dilation Effect believes that standard user emails exhibit relatively fragile security. Email verification codes are not stable security verification factors. In today’s landscape, if a user relies solely on email verification as their 2FA method, their account’s security can be considered nonexistent. It’s imperative to recognize that major internet service providers have experienced large-scale leaks of usernames and passwords due to attacks. Furthermore, email service providers may harbor unknown vulnerabilities, collectively placing numerous user emails in an insecure state. In summary, the security of email verification is notably low. SMS verification codes also face vulnerabilities in numerous attack scenarios. These include directed attacks like fake base station assaults, where high-value users might be monitored, allowing attackers to deploy rogue base stations near their targets to intercept SMS messages. Another example is the Sim-swapping attack that Lapsus$hackers like to carry out. SIM swapping involves attackers, often employing social engineering tactics, impersonating users to transfer their SIM cards to the attacker’s name. With the advent of eSIM technology, attackers can apply and activate online, streamlining the process. Twitter founder Jack Dorsey’s Twitter account fell victim to such an attack. Additionally, concerns arise regarding lawful interception by telecommunications providers. Given these scenarios, the security level of SMS verification is relatively low. In contrast, TOTP (Time-based One-Time Password) and Security Key-based methods face fewer threats. Dilation Effect recommends that users, at the very least, configure Google Authenticator as their fundamental security setting. Users with higher security requirements may opt for physical Security Keys. If a user has exclusively set up email verification or SMS verification, it’s only a matter of time before their account falls prey to attackers. Furthermore, several exchanges now support passkeys, which represent a robust security mechanism, allowing users to substitute traditional passwords. Users are encouraged to familiarize themselves with these options gradually. III. Recommendations for Exchanges Exchanges should immediately initiate emergency response protocols to investigate instances of leaked user account passwords. They should guide affected users to change their passwords and enhance their account security settings. Furthermore, regular monitoring of user account password leaks is essential. For those uncertain about how to identify leaked password data for their users, feel free to reach out to Dilation Effect for assistance(dilationeffect@gmail.com). We propose that exchanges adopt a “Secure by Default” design approach, prioritizing user account security. This approach ensures that user accounts are in a relatively secure state once security settings are configured. Design principles may include requiring users to complete Google Authenticator binding as a security baseline. By doing so, users can be guided through this setup during registration, and sensitive operations, such as withdrawals, would only be permitted once these settings are in place. IV. Recommendations for Everyday Users Respect the importance of network security. Attackers are persistent, while most users have limited knowledge of network security. Even prominent figures like Vitalik have had his X accounts hacked. Users should not neglect their account security settings for the sake of momentarily convenient withdrawals, as regret often follows after an attack. Therefore, users should, at the very least, enable Google Authenticator for their accounts. Additionally, there is a valuable website where users can periodically check if their email passwords have been compromised, which is worth bookmarking: https://haveibeenpwned.com About Dilation Effect Dilation Effect is a recently established Web3 security community comprising experts in practical network security from around the world. We focus on sharing objective and neutral Web3 security perspectives.
Dilation Effect will continue to release various Web3 security perspectives, review the security of Web3 products and protocols in the industry, and provide timely and effective security alerts to ordinary users. Follow us on https://twitter.com/dilationeffect. Follow us Twitter: https://twitter.com/WuBlockchain Telegram: https://t.me/wublockchainenglish Wu Blockchain is free today. But if you enjoyed this post, you can tell Wu Blockchain that their writing is valuable by pledging a future subscription. You won't be charged unless they enable payments. |
Older messages
What kind of DApp do we need?
Sunday, September 17, 2023
Author: OFR XIN Source: https://www.noweb3.ai/p/what-kind-of-dapp-do-we-need?utm_source=profile&utm_medium=reader2 If you are a rational and neutral investor, please admit, we don't need more
Asia's weekly TOP10 crypto news (Sep 11 to Sep 17)
Sunday, September 17, 2023
Author:0xMingyue Editor:Colin Wu 1. Hong Kong's Weekly Summary 1.1 Vitalik Questions the Sustainability of Hong Kong's Cryptocurrency Friendliness link On the 14th of September, Vitalik Buterin
WuBlockchain Weekly: CoinEx Faces Cyberattack, FTX Coin Selling Rules, Binance US Announces Layoffs and Top10 News
Sunday, September 17, 2023
1. US August Unadjusted CPI at 3.7%, Core CPI at 4.3% link In August, the seasonally adjusted CPI in the United States rose by an annualized rate of 3.7%, slightly exceeding expectations of 3.6%. This
Weekly Project Updates: opBNB Mainnet Launches, Polkadot Chinese Community Ceases Operations, Friend Tech Records …
Sunday, September 17, 2023
1. Ethereum's Weekly Summary a. Ethereum's Holesky Testnet Officially Launched link On September 15th, the Ethereum Holesky testnet was set to officially launch, with a scale twice that of the
Folius Ventures: Friend Tech Analysis Report
Tuesday, September 12, 2023
Folius Ventures has released an analysis report on Friend Tech, highlighting that the company currently refuses to engage with any VCs other than Paradigm. Mining is the only way to gain exposure to
You Might Also Like
WuBlockchain Weekly: Federal Reserve Announces First Rate Cut, Trump Buys Burger with Bitcoin, CZ Set for Release …
Friday, September 20, 2024
The Federal Reserve announced a rate cut to 5%, lower than the anticipated 5.25%, marking the first rate reduction since March 2020. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
NFT & Blockchain Gaming Weekly - 🪙 DeGods launches DEGOD token on Solana; PayPal and Venmo integrate ENS
Friday, September 20, 2024
DeGods launches $DEGOD on Solana. PayPal and Venmo integrate ENS. Magic Eden and Mocaverse unveil NFT launchpad, MagicMoca. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
🥛 $BTC supply crunch incoming? 📈 These charts say yes...
Thursday, September 19, 2024
PLUS: RWAs just hit an all-time high in total value! 🏆
Trump involved in Bitcoin transaction in New York’s PubKey bar
Thursday, September 19, 2024
Former President Trump assisted in completing a Lightning transaction to buy burgers for fans. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
DeFi & L1L2 Weekly - 🚀 Ethereum on-chain stablecoin volume reaches all-time high; Sky launches SKY and USDS
Thursday, September 19, 2024
Ethereum on-chain stablecoin volume reaches all-time high. USDC launches on Sui blockchain and is available in Brazil and Mexico. Sky launches new tokens SKY and USDS. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
DeFi & L1L2 Weekly - 🚀 Ethereum on-chain stablecoin volume reaches all-time high; Sky launches SKY and USDS
Thursday, September 19, 2024
Ethereum on-chain stablecoin volume reaches all-time high. USDC launches on Sui blockchain and is available in Brazil and Mexico. Sky launches new tokens SKY and USDS. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Analysis of the impact of the Fed's 50bps rate cut on the future market
Thursday, September 19, 2024
At its September meeting, the Federal Reserve cut rates by 50 basis points, with its monetary policy statement emphasizing the goal of maximum employment. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
🥛 Fed cuts 50 bps 🔪 Here’s the market’s reaction...
Wednesday, September 18, 2024
PLUS: 5 reasons to stay in the market! 🔍
Bitwise CIO likens Ethereum to Microsoft, bets on underappreciated dominance despite bearish sentiment
Wednesday, September 18, 2024
Hougan believes that despite market doubts, Ethereum still leads in DeFi assets and institutional adoption, much like Microsoft's role in tech. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Binance co-founder publishes a long article responding to the recent coin listing standards
Wednesday, September 18, 2024
Author: He Yi ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏