Hey,
We are really sorry for the inaccessibility of the Keybin from 24.6.2026, 21:15 CEST, to 25.6.2026, 12:30 CEST
On the evening of 24.6.2026, we noticed unauthorized purchases (2 accounts) and logins from selected user accounts (26 compromised accounts), where the attackers had the user’s passwords and in some cases even access to the user’s email to reset the password. We acted immediately by disabling the accounts and taking down the platform until we could fully investigate.
Here is what happened.
On the evening of 24.6, our system detected unusual activity of logins and transactions. Initially we assumed only one account was compromised, but after investigation of logs, we noticed unusual behavior of additional accounts in a short span of time. After we detected that the second account started to make purchases that were not in common order for the account, we immediately restricted all access to our platform, including the API, to protect our users assets.
After the platform was shut down, we started the full-scale investigation to fully understand the scope of the then-unauthorized access of users accounts.
We noticed that the attacker had “ready to login” accounts where the attacker either had a username and password or access to email that enabled the attacker to reset the password.
We can confirm that the attacker did not get account credentials from breaching the Keybin platform but rather used account information from breaches outside our platform or known breaches that can be tracked on websites like haveibeenpwned.com. The attacker either had the correct password and logged in on the first try, rotated a few passwords (up to 10 passwords), or reset the password via email to gain access to the account.
At the same time, the attacker also found a bug that enabled him to make transactions on the accounts that were not fully verified. This did not impact users.
What we did to protect our users:
– We consider that more accounts could be compromised, so with the next login you will have to change your password.
– All accounts must enable 2FA, and we are setting 2FA as mandatory for all accounts. With the next login, you will have to set up 2FA before you can proceed to the platform.
– Security improvements, hardening, and more triggers to detect similar situations.
What we are doing next:
We will bring more control of user limits to the Team Owners and admins. We are aware that accounts get compromised, and we would like to offer additional limits to the users that can be controlled.
As a precaution, we have removed old API tokens. Please navigate to Account -> Account -> API Settings to generate a new token or refresh current token.
Sorry for the inconvenience.
Yours, Keybin
Timeline (timezone CEST):
24.6.2026, 21:15
Detection of unusual activity on selected users accounts and start of investigation.
24.6.2026, 21:40
Blockage of a detected compromised account and detection of a second compromised account and blockage of the account.
24.6.2026, 22:50
Investigation shows detection of more accounts being logged in. Platform shutdown.
24.6.2026, 23:30
The investigation is complete; a plan to add features to protect users accounts is created.
25.6.2026, 04:30
After more investigation, an additional plan to improve platform security is created to prevent and detect similar breaches sooner.
25.6.2026, 09:15
Features are ready to review and test.
25.6.2026, 11:45
my.keybin.net is back online. The API is still restricted and is slowly enabled for users.
25.6.2026, 12:15
We are detecting login problems for some users and investigating.
25.6.2026, 13:50
The login issue was connected to the API. We are in final stages to enable both my.keybin.net and the API.
25.6.2026, 15:45
my.keybin.net is now online for all users. We are now applying final fixes before enabling the Sellers and Buyers API.
25.6.2026, 16:50
Emails to compromised accounts were sent.
25.6.2026, 20:45
The API is enabled, but we are experiencing a massive order backlog, and therefore there might be interruptions until the backlog is cleared.
25.6.2026, 21:10
All services restored. ⚠️ We have removed very old API tokens! Please check if we removed the API token from your account and create a new API token under Account -> API Settings. We strongly suggest that you change current API tokens. This is a security precaution.
We are now actively monitoring the situation. If you have a problem accessing your account or you encounter other problems, please send us an email.
