Cryptocurrency exchange Poloniex issues password reset warning – Naked Security

When is a password breach not a password breach? When is a password warning a hoax?

That’s the double-trouble situation that faced cryptocurrency exchange Poloniex this week, following a tweet at the end of last year in which, according to Poloniex:

[S]omeone leaked a list of email addresses and passwords on Twitter, claiming the information could be used to log in to Poloniex accounts.

The company itself tweeted as follows:

Of course, there’s a big difference between knowing someone’s password for service X, and hacking service X.

Crooks sometimes present a list of hacked passwords as some sort of “proof” that they successfully broke into a server, but unless they can produce a significantly long list, this sort of “evidence” doesn’t prove much.

Indeed, in December 2019 we wrote about the conviction of a hacker from London called Kerem Albayrak.

He filmed himself logging into two people’s iCloud accounts as part of a blackmail attempt against Apple, demanding $100,000 in iTunes cards in return for not inflicting damage on millions of additional iCloud accounts.

The two breached accounts were supposed to support his claim to have a massive stash of Apple iCloud passwords, but he’d got hold of those two passwords without hacking Apple at all.