Read this if you have a Poloniex account (or are thinking about getting one).
If you have gone through the process of contacting the Poloniex support team, you might have made yourself vulnerable to a breach of your account without even realizing it. For instance, opening a ticket to change your email address, raise your trading limits, resolve a dispute, whatever, then you may be at risk.
How so? Poloniex uses a branded version of a third party help-desk provider. Specifically, upon reaching out to the Poloniex Support Team for the first time, you will be directed to create a new account at poloniex.freshdesk.com. The branding looks exactly like the Poloniex site. The address looks like a Poloniex address. Since the user navigates from poloniex.com, they are likely to be unsuspecting and to use the same email address as their trading account, and moreover, are likely to use the same password.
Why is that a problem? While Poloniex may take appropriate measures to secure what could be your wealth, any such measures could be negated since Freshdesk isn’t going to have the same level of protection to protect the keys to your wealth. Freshdesk is a company that represents many customers other than Poloniex. Their employees are not bound to the data security best practices of their customers. The user has no information on how your login credentials are stored or protected, nor do users know who have access to that information. As is, users already take a leap of
faith hope that an exchange is performing the absolute best practices (since they do have control over their customers wealth). A help-desk company doesn't share in that faith hope.
A Message to Poloniex Staff
Consider cutting your ties to a third party support provider or at least plaster warnings on the login page of Freskdesk that they have no affiliation to you. Moreover, use a dancing bear and suggest a best practice to using a different password AND email address than was used to login to Poloniex. Send an email to your customers and suggest they change their password immediately if ever their password were same or similar.
A Message to Crypto Exchange Users
This demonstrates that it is not wise to leave your coins on a third-party controlled wallet. As a professional systems architect and developer of 25 years I have seen many breaches of data security best practices, even in data security circles. You can draw your own conclusions about something of this nature that not only passed the development and QA cycles, but also internal data security and corporate officer users too.