We are seeing a spate of failed login attempts at the moment. You can rest assured that Cryptopia has not been compromised. Read below for more information and answers to common questions.
I'm getting failed login attempts on my account, why?
An individual or group is currently attempting to log into accounts on crypto sites including Cryptopia. The attempts are failing, which means they don't have a list with correct passwords. However, they must have obtained a list of email addresses and passwords from somewhere else. This does not originate from Cryptopia. The most likely case is that they have purchased or found a list of previously compromised credentials on the dark web from a variety of sources. This is fully backed up by information we have uncovered when doing our investigations into these reports (see below), and the fact that they are failing.
What should I do?
Ensure you are following good security practices. It is vital that you use a unique password for your login. Also, strong Two Factor Authentication such as Authentication Applications (e.g. Google Authenticator or Authy) is highly recommended. If you are using both of these and getting failed login attempts, you can be assured that nobody else can get into your account. If the password you are using is used somewhere else as well, change it to something unique. You can find more security tips here.
It is also very important that your email itself is secure in the same way. If someone obtains access to your email account and takes that over, this could potentially compromise your account.
Why is my account getting locked?
If there has been three failed attempts to get into your account, your account will be locked automatically for 15 minutes. This is to prevent brute force attacks on your password.
Doesn't this mean the Cryptopia DB has been breached?
No. There are a number of reasons why this can not be the case. If Cryptopia credentials were breached, these wouldn't be failed attempts. It is practically impossible, even if someone does breach the Cryptopia DBs, that they would be able to then use them to log in (and if the DB really was really breached to that extent, they wouldn't need to). This is because of the way passwords are stored. There is also absolutely no point in people trying what they are doing unless they think they might have the correct password. A list of email addresses is useless as they only get three password tries before an account is locked. So they have obtained a list of emails AND passwords from somewhere, but not from Cryptopia.
But my email address hasn't been breached on anything else, I don't use it anywhere else, etc
A small number of people have told us that they only use their email address for Cryptopia and have experienced a failed login attempt. After investigating these, we have found that they were compromised on BTC-E years ago (or something similar), or simply got it wrong themselves. We have completed an initial analysis of all the tickets coming lodged during the last two days about this issue. Here are the results :
- Users with tickets about failed login attempts: 238
- Those that appeared on haveibeenpwned: 209 (88%)
- Total compromises recorded on haveibeenpwned just for these addresses: 940
- Websites examples of how they were compromised (major ones): BTC-E, LinkedIn, OnlineSpambot, Adobe, BitcoinTalk, Lastfm, MySpace, Tumblr (although many more as well)
Given haveibeenpwned doesn't list every breach, 88% is very high, and strongly indicates this was a purchased list from elsewhere.
What else do I need to be aware of?
Phishing scams are rife at the moment. Be very careful you are visiting the correct website. cryptopia.co.nz is the only domain you should be using. Do NOT ever put "cryptopia" into the search or address bar and click the top link, Google allows phishing sites to advertise and become the top result in google (as does Bing), and takes a long time to remove them after they are reported as scams. See here
for more information.