Feb 20, 10:30 GMT: To see our latest security announcement, click here.
Today, February 15, 2019 Coinmama was informed of a list of emails and hashed passwords that were posted on a dark web registry. Our Security Team is investigating, and based on the information at hand, we believe the intrusion is limited to about 450,000 email addresses and hashed passwords of users who registered until August 5th, 2017. This comes as part of a larger breach affecting 30 companies and a total of 841 million user records.
As of February 15, 2019, there has been no evidence of this data being used by perpetrators. Given the dated nature of the published data, we have no reason to suspect that any other Coinmama systems are compromised. Coinmama does not store credit card information, and do not hold user funds.
What we are doing
As soon as we became aware of the incident, we immediately established an Incident Response Team to identify the nature and scope of the intrusion. We also took immediate action consulting with leading cybersecurity firms, and are taking steps to protect our customers, including:
Notifying users that were affected by this breach with steps to safeguard their accounts and protect their data
Requiring users who are possibly affected to reset their password upon next login and urging all other users to verify that their passwords are unique and strong
Monitoring our systems for suspicious activity
Adding continuous enhancements to our systems to detect and prevent unauthorized access to user information
Monitoring for any external indication that the compromised data is being used, and keeping our customers notified
What this means for you
We take your privacy very seriously and are alerting you about this incident so you can take steps to help protect your information:
If you registered prior to August 5th, 2017, immediately change your password and change it on any other service using the same login details (email and password). We’ve sent you an email with further instructions on how to protect your account and data
We're taking this opportunity to remind all users to use a unique password with at least 8 characters, using both upper-case and lower-case letters and a mixture of number and symbols
Be careful of any unexpected communication that asks for your personal data or directs you to a website asking for your personal data
Avoid clicking links or downloading attachments from suspicious emails
For questions, comments or any information you might have that could help us mitigate and communicate this incident, send an email at email@example.com
We will keep this post updated with any new information that our investigation might uncover.