LAST UPDATED - 2/20/2019
1. What happened?
On February 15, 2019, we became aware that a perpetrator gained access to about 450,000 user emails and hashed passwords dating from August 2017 and back. This is part of a large breach that has affected 30 companies and 841 million users.
On Sunday, February 17, 2019, during an ongoing investigation of a financial fraud incident that occurred in December 2018, we learned that an unauthorized party acquired data associated with 1.4 million Coinmama accounts.
2. What information was compromised?
In order to sell cryptocurrency, we are required by regulation to collect certain personal information from our customers, including name, address, email, gender and ID number. From some of our customers we are also required to collect images and copies of documents, including government issued IDs. We do not store or record any credit card information, nor do we hold any customer funds.
On February 17, we found evidence that an unauthorized party acquired data of our customers, including the personal information mentioned above.
As of February 20, 2019, there has been no evidence of this information being used by perpetrators.
3. What is Coinmama doing?
On February 15, we established an Incident Response Team to identify the nature and scope of the initial intrusion. In light of what we learned on February 17, we immediately expanded our investigation efforts, working closely with several leading security firms.
We are devoting all resources necessary to accelerate the ongoing security enhancements to our systems. We are working diligently to protect people’s privacy, including:
Email notification. We began sending emails on a rolling basis on February 15, 2019 to affected customers.
Password reset. Since February 15, we started expiring the passwords of customers’ accounts. We recommend that you set a new password, and change it on any other service using the same credentials (email and password).
Law enforcement. We have reported this incident to law enforcement authorities and will continue to support their investigation.
Data protection authorities. We are notifying the applicable regulatory authorities of this matter.
Monitoring. We are taking additional measures to monitor any suspicious activity relating to our customers’ accounts.
4. Does Coinmama know who did it?
We don’t yet know the individual or group who acquired this data. Our investigation is ongoing.
5. What should I do next?
Make a habit of reviewing your accounts for suspicious activities from time to time. If you believe you are the victim of identity theft or that your personal data has been misused, immediately contact your national data protection authority or local law enforcement.
If you are a resident of the United States: click here to learn more actions you can take.
Use strong passwords and do not use the same passwords for multiple accounts (for best practices about creating secure passwords, click here).
6. I think I received an email about this. How do I know it’s really from Coinmama?
One way to know the email you received came from Coinmama is that it 1) does not include any attachments and 2) does not ask you to provide any personal details. Coinmama will never ask for your password.
7. How do I reset my password?
To reset your password, go to the Recover Password page, enter the email address of your Coinmama account and click the confirmation link in the email we send you. Try creating a unique password with at least 8 characters and a mixture of symbols, numbers, uppercase and lowercase letters. To learn more about creating secure passwords, click here.
8. How can I contact you?
We have established a dedicated support team to answer your questions 7 days a week. You can contact us in 3 ways:
Privacy questions: email@example.com
Privacy questions for EU customers: firstname.lastname@example.org
General support inquiries: email@example.com
We may experience high volume initially, and appreciate your patience.