Data Breach Exposes 1.5 Million Binance User Accounts

Severity: High (Score: 64.5)

Sources: Mexc.Co, Beincrypto

Summary

On March 28, 2026, cybersecurity platform VECERT reported that a threat actor named PexRat is selling a database containing the personal information of 1.5 million Binance users. The leaked data includes full names, email addresses, phone numbers, Know Your Customer (KYC) verification statuses, last-login IP addresses, device user agents, and two-factor authentication (2FA) statuses. The breach did not involve a direct attack on Binance's internal servers; instead, it was a result of a credential stuffing and scraping operation that bypassed security mechanisms. This incident follows a previous report in January 2026, which revealed around 420,000 Binance-linked credentials exposed via infostealer malware. The exposure of sensitive data poses significant risks, including vulnerability to SIM-swap attacks and phishing campaigns. Binance's growing institutional trading activities are now overshadowed by these security concerns, which could impact user trust and operational integrity. Key Points: • 1.5 million Binance user accounts have had their data leaked for sale. • The breach was due to credential stuffing and scraping, not a direct server compromise. • Users are at risk of SIM-swap attacks and phishing due to exposed 2FA and KYC data.

Key Entities

• Credential Stuffing (attack_type)
• Data Breach (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• Binance (company)
• PexRat (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1110 - Brute Force (mitre_attack)
• T1566 - Phishing (mitre_attack)