This statement offers our full account, what it means for users, and the remediation actions we’re taking.
On April 22, 2026, Cybernews reported that a listing on a hacker forum was offering what it described as data on “100 million CoinMarketCap users” for $5,000. We were contacted for comment; however, the article was published before we could provide a response. As a result, the first public account of this event did not include our input.
We are publishing this statement now to provide our full account, what it means for users, and the remediation actions we’re taking.
Confirmed Facts
A malicious actor targeted our public-facing profile API using a method known as user ID enumeration to scrape certain CoinMarketCap profile fields: display handle, account creation date, follower count, and account status.
Our investigation to date has not identified evidence of unauthorized access to CoinMarketCap's internal infrastructure, databases, or authentication systems. No passwords, authentication credentials, financial data, KYC records, or internal systems were accessed. The activity described here involved the automated collection of information that was already publicly accessible on the platform and is distinct from a system breach.
What Remains Under Review
The malicious actor claims the dataset contains 100 million records, split between 40 to 50 million "real" accounts and 50 to 60 million accounts the malicious actor themselves characterized as bots. This figure is broadly consistent with the volume of public profile records accessible through our API, and does not represent compromised accounts. Cybernews researchers reviewed only 13 records from the sample and could not verify the full scale independently.
Because automated scraping traffic blends with normal API usage, determining the exact number of scraped records is not possible with precision. Our remediation plan addresses this by treating the full population of users within the affected window as potentially impacted.
The Email-Prefix Handle Issue
The forum post offering the data flags a perceived pattern between usernames and email addresses on our platform. The Cybernews article echoed this claim. We want to provide the historical context that has not been in the public record regarding our platform’s evolution.
Beginning in August 2021, new CoinMarketCap accounts had their display handle auto-populated from the email prefix used at registration (everything before the "@"). When this feature went live, it was also applied to the existing user base at the time, approximately 20 million accounts.
This default practice was discontinued in early 2022. From that point forward, new accounts received randomized display handles. Handles set through the prior design remained in place unless users updated them manually. We are now extending remediation to cover these existing handles as part of the actions described below.
To be clear, the scraped data contains handle strings, not confirmed email addresses. However, because some of the historical handles resemble common email prefixes, motivated actors could attempt to infer potential email formats by combining them with likely domains. Our response addresses this potential risk and is designed accordingly.
Both bot and inactive accounts created during this window were registered with valid email addresses, so the handles for those accounts also follow the email-prefix pattern. The email addresses tied to those accounts are included in our user notification scope below, and we are reviewing our broader treatment of dormant accounts as part of this remediation.
What Users Should Do
If you registered before early 2022 and have not changed your display handle, assume a motivated attacker could attempt to guess your email from it. We recommend that you go to your account settings and change your handle if it resembles your email address. Enable two-factor authentication on your CoinMarketCap account.
CoinMarketCap will never ask you to verify your account through sharing your password, providing a verification code, making a payment, or connecting your wallet. Any unsolicited email or social media message requesting this is phishing. Please report suspicious messages via coinmarketcap.com/request and select option "12 - Feedback, Questions, Complaints." Our customer service and security teams monitor this channel and will follow up.
Actions Taken
- Enhanced Security Controls: Enhanced WAF security control rules to detect and block automated or suspicious traffic targeting authentication and user-related API endpoints. These measures are designed to mitigate further scraping activity and limit unauthorized data extraction.
- Implementing Additional API Access Controls: Additional rate limits, request authentication controls, and API hardening measures are being implemented to increase resistance against automated scraping and unauthorized data extraction.
- Regulatory Engagement: We are engaging with relevant data protection authorities and will file notifications as required under applicable data protection laws.
- Dormant Account Review: We are evaluating our handling of dormant and bot-flagged accounts, including the email addresses tied to them.
Direct User Notification
As a preventative measure, we will be contacting all users whose display handle was generated through the auto-population process that occurred before early 2022. Email outreach will begin on April 30, 2026 and continue over the following days. Users will receive specific guidance on how to update their handle and enable 2FA.
We encourage all affected users to take the steps above at their earliest opportunity. Our security and engineering teams remain fully engaged in addressing this matter. Protecting our users remains a central priority in our security program and continues to guide our actions throughout this process.
CoinMarketCap Team
April 25, 2026
