Binance Security Incident Update #2

2019-05-10

Dear Binancians,

I would like to share some updates on the security incident. We understand the situation is tough for our community. We strive to maintain the highest degree of transparency; however, please also understand hackers are reading every word we post and watching every AMA we host. Sharing too many security details actually weakens our security response strategy.

Rest assured, our team is making progress. We are taking this opportunity to significantly revamp some of our security measures, procedures, and practices. With the goal of resuming deposits and withdrawals as soon as possible, some of the changes will be done within the window of this week, and many further changes will be added afterwards.

We are making significant changes to the API, 2FA, and withdrawal validation areas, which was an area exploited by hackers during this incident. We are improving our risk management, user behavior analysis, and KYC procedures. We are working on more innovative ways to fight phishing. We also have a number of additional security measures being implemented not directly visible on the front end.

We will be adding hardware device support, such as YubiKey and other devices, very soon. We will run an event and give away 1,000 YubiKeys as soon as that feature is implemented.

Impact-wise, the single BTC transaction of about 7000 BTC is the only transaction in which funds were stolen, and itā€™s quite simple to verify this on the blockchain. There are many community experts watching every Binance wallet. We are still investigating all other areas of the system to ensure no stone is left unturned. Furthermore, we are working with a dozen or so industry-leading security expert teams to help improve our security as well as track down the hackers.

Many security and blockchain analytics firms are actively helping us track the stolen funds. We are also working closely with many exchanges and other service providers to freeze the stolen funds. It already is sort of an alliance. We have some ideas to contribute more on this front after we get over this incident.

Mentally, the Binance team is not sad or depressed; on the contrary, we are in fighting mode. This event has further united an already tight team. We have received tremendous support from our community and we are humbled by your support. We will continue to fight for all of us, the community, against hackers and people with ill intentions. I believe this incident, while damaging us now, will actually make us far stronger and more secure in the long run.

We will maintain constant communication with our community. I (CZ) am active on Twitter. In fact, some people even say I tweet too much. But my role is a facilitator and communicator. Ā Honestly, I am not writing code or debugging servers. Given how much I talk, I sometimes say the wrong stuff, dirty words like ā€œreorgā€, for which I apologize. It is my strong view that our constant and transparent communication is what sets us apart from the ā€œold way of doing thingsā€, even and especially in tough times.

Tentatively, we are looking to resume withdrawals and deposits early next week. We still have a large number of tasks and tests to do, and we are working around the clock on it.

Once again, we thank you for your unwavering support during these tough times! We will fight on.

- CZ