Poloniex said Thursday that account information circulating on social media did not originate from the cryptocurrency exchange.
On Monday, Poloniex contacted some of its users after a tweet circulated featuring a list of email addresses and passwords and claiming that the information could be used to log into Poloniex accounts. In response, the exchange emailed all potentially impacted users and informed them of a forced password reset on their accounts.
"Earlier this week we emailed a small group of our customers (about 1% of our total base), requiring them to reset their Poloniex password in response to a tweet claiming to contain a list of leaked email addresses and passwords," the exchange said in its statement. "To confirm, there was no information or data leak originating from Poloniex and our actions represented a swift response to an external threat."
In its new statement, Poloniex said that "our investigation has concluded that approximately 90% of the passwords listed already appear in the haveibeenpwned.com list of exploited passwords. Additionally, our security team is in touch with haveibeenpwned.com and has requested that they update their database to include additional missing information we have identified."
Poloniex emphasized that it does not store user' passwords in plain text or any recoverable form. Rather, it stores them as salted bcrypt hashes.
Additionally, Poloniex stated that "[l]ess than 5% of the email addresses on the posted list were associated with Poloniex accounts."