Welcome to a cryptocurrency world.

Anyone with an Internet connection can purchase stolen databases of emails and passwords. They aren’t stalkers or even hackers—most are script kiddies that just want your bitcoin.

Many of these people are from areas of the world where $100 USD is a month’s salary, so they will often take the time to write a script that brute-forces the login pages of each and every major cryptocurrency exchange and wallet, hoping that your email is registered there and that you used the same password on the site that first leaked your info. Usually, they luck out, as people tend to use the same password everywhere. Let’s say, however, that you did happen to use a different password. If you didn’t set up two-factor authentication, all they would need to do is reset your email password. And just like that, your money is gone.

Full disclosure: I am the CEO and co-founder of Paxful, a P2P OTC cryptocurrency marketplace. Paxful’s main value has always been helping unbanked people in emerging markets like Western Africa get into trading digital currencies by buying bitcoin. On Paxful, a bank account is not needed and simple payment methods like bank transfers or gift cards are the way most of the unbanked get into the crypto economy. Many of these users refuse to use 2FA security no matter how much we try to educate and inform them. As CEO, I provide support for our customers a few times a week and I’m disappointed whenever this happens. People often lose their cool and freak out. I get it. It’s understandable because, in the world of Bitcoin, you cannot simply reverse a transaction. When our team tries to explain this, we’re often accused of stealing their funds and in angst, they leave a bad review.

Let’s check something together.

  1. Head over to https://haveibeenpwned.com and type in your email address.
  2. Then go to https://haveibeenpwned.compasswords and type in your password.

Have you been “pwned?” For those of you who are unaware, “pwned” tech slang for being “owned.” If the websites indicate that you have, in fact, been “pwned,” it means your email and password are freely accessible on the Internet. Yes, there is an entire site devoted to tracking this. It’s kind of a big deal and still the dirtiest secret on the Internet. Facebook sharing every detail of your life with everyone is bad but at least it’s not giving people total access to post and delete your content or even worse, access to your funds.

Let’s look at some stats from the “Have I Been Pwned.”

  • 277  ”pwned” websites
  • 4,966,062,037 “pwned” accounts
  • 359,420,698  compromised MySpace accounts
  • 234,842,089   compromised  NetEase accounts
  • 164,611,595   compromised  LinkedIn accounts
  • 152,445,165   compromised Adobe accounts
  • 112,005,531   compromised  Badoo accounts

Out of those nearly five billion leaked accounts, one could be yours. If you used a leaked email address to register an account at any bitcoin wallet provider, a hacker is only one password reset request away from taking your money. And just like that, your password no longer matters. Luckily, we’ve changed the rules. The most desperate and veteran hackers are now going for your funds, thanks to the magical Internet money that is bitcoin. Bitcoin is decentralized, which means no one entity can simply “cancel a transaction” or cause a blockade or sanction. This gives an edge to scammers and hackers. Is there an edge it gives honest users?

Absolutely. Security in the crypto world is entirely in your hands!

You can be as secure and decentralized or as not secure and centralized as you wish. The crypto security spectrum ranges from the first-class citizens who run their own full nodes, to the second class citizens who own their own private keys, and the third class citizens who use web wallets. Paxful, for example, is a web wallet and our customers don’t own their private keys. Paxful doesn’t own them, as BitGo powers our blockchain network. Simply put, private keys on our platform are split between three parties: BitGo, Paxful, and a third-party trusted holder. But not you. So what do you have to work with?

Password :

Must be unique (never used before for any other account). If not, your protection is ZERO.

2FA (via Mobile):

We send you a text message to your phone to verify that it is really you. Not very secure, as hackers can hack SIM cards via swapping numbers. DO NOT use SMS, as it is easily hackable!

2FA (via Google  Authenticator/Authy) :

App on your phone you check each time for access tokens. Very secure!

Pin Code  — Web wallets like Xapo. Coming soon to the Paxful app!

REMINDER: Once a hacker gets your bitcoin, there is ZERO chance of getting it back even if you know the wallet address. Bitcoin transactions cannot be reversed!

So you know what to do now. Will you turn on 2FA?

– Ray Youssef, Paxful CEO and co-Founder