A leaked API key is a security emergency that requires immediate action. An API key is essentially a key to your account β whoever holds it can execute trading operations without logging into your account. As soon as you discover a leak, you must act fast.
Immediately log in at the Binance official site to address this issue. If you need to operate from your phone, Android users can download the APK to install the Binance App.
Step 1: Immediately Delete the Leaked API Key
Log into your Binance account, go to the "API Management" page, find the leaked API key, and delete it immediately. If you're unsure which key was leaked, it's recommended to delete all API keys and then only recreate the ones you're certain you need. Deletion requires security verification β act quickly.
Step 2: Check the API Key's Permission Settings
Before or while deleting, check the permissions of the leaked key. The critical question: was withdrawal permission enabled? If so, the attacker may have already transferred your assets via API. Immediately check your withdrawal records to confirm whether any abnormal withdrawals occurred.
Step 3: Check Account Assets and Transaction Records
Thoroughly check your account balance, recent trading records, and withdrawal records. Attackers may have used the API key to: sell your assets at low prices (a dump attack), buy a certain token at high prices to match sell orders on another account for profit, or withdraw directly via API (if withdrawal permission was enabled).
Step 4: Check Other Security Settings
Confirm that your login password, email, phone number, Google Authenticator, and other security settings are intact. While an API key leak doesn't necessarily mean other account information was also compromised, it's recommended to change your password as well, just to be safe.
Common Causes of API Key Leaks
The most common cause is uploading code containing API keys to public repositories like GitHub. Other causes include: entering API keys in insecure third-party trading tools, keys being stolen by malware on your computer, and exposing key content in public settings or screenshots.
Security Tips for Recreating API Keys
When creating new API keys, follow the principle of least privilege. Only enable permissions you truly need β if you only need to read market data, don't enable trading permissions. If you don't need withdrawals, absolutely never enable withdrawal permissions. Set up IP whitelisting to restrict the API key to your specific IP addresses. This way, even if the key leaks, attackers can't use it from other IP addresses.
Preventive Measures
Never hard-code API keys in public code β use environment variables or configuration files. Don't send API keys through chat messages or emails. Regularly rotate API keys rather than using the same set long-term. Delete API keys you're no longer using promptly.
Android: direct APK install. iOS: requires overseas Apple ID
Register through our link for automatic fee discounts on every trade