On March 28, cybersecurity platform VECERT reported that a threat actor operating under the alias PexRat has put a database of 1.5 million Binance users up for sale on underground forums.
🚨 FINANCIAL INTELLIGENCE ALERT: Binance Database Leak (1.5M Users) 🌐💰
Our Analyzer platform has detected one of the most critical threats to the cryptocurrency sector so far this year. Threat actor PexRat has put up for sale a private database affecting approximately 1.5… pic.twitter.com/IjgHL3DwMR
— VECERT Analyzer (@VECERTRadar) March 28, 2026
The dataset is unusually dangerous. It is not just names and emails. According to VECERT’s alert, the compromised fields include full names, email addresses, phone numbers, country of registration, account creation date, KYC verification status, last login IP address, device information, and critically, the type of two-factor authentication each user has active — whether that’s SMS, email, or an authenticator app.
That last piece of information is what makes this more than a standard credential dump.
Why the 2FA Data Changes Everything
Most data leaks expose login credentials. Bad actors use them for automated attempts to log into accounts using stolen username and password combinations. Users who have 2FA enabled are largely protected from this.
This leak is different. Knowing which type of 2FA a user has active tells an attacker exactly how to get past it. Users relying on SMS-based 2FA are vulnerable to SIM-swap attacks — where an attacker convinces a mobile carrier to transfer your phone number to their SIM card. Once they have your number, SMS codes come to them. Combined with your email, password, and the knowledge that your account uses SMS 2FA, a targeted attack becomes straightforward.
Users with authenticator app-based 2FA are more protected, but the KYC data in this leak creates a different risk. Knowing someone’s full name, phone number, email, country, and verified status gives attackers everything they need to craft a convincing phishing message that appears to come from Binance’s compliance team.
This Is the Third c This Year
January 21, 2026: Cybersecurity researcher Jeremiah Fowler discovered a publicly accessible, unencrypted database containing 149 million stolen credentials harvested by infostealer malware. Over 420,000 of those credentials were linked to Binance accounts. The database contained emails, usernames, passwords, and direct login URLs.
March 28, 2026: PexRat puts 1.5 million Binance user records up for sale, this time with KYC data, device fingerprints, and 2FA configuration details.
The January incident involved infostealer malware harvesting credentials from infected devices, technically not Binance’s fault. The source of the March dataset has not been confirmed. VECERT’s alert does not specify whether this is another infostealer harvest or whether it came from inside Binance’s systems.
Binance has not issued a public statement on the March 28 alert at time of publication.
What to Do Right Now
If you have a Binance account, three actions matter:
Switch to an authenticator app for 2FA if you are using SMS. Google Authenticator, Authy, or any TOTP-based app is significantly harder to attack than SMS. This is the single most important change.
Change your password and make it unique to Binance. If you are reusing a password from another service, assume it is already in a leak database somewhere.
Be skeptical of any email or message claiming to be from Binance over the next weeks. Phishing campaigns typically follow data leaks by days. If a message asks you to verify your account, click a link, or enter credentials, go directly to Binance.com rather than clicking anything in the message.
The Bigger Pattern
Three months into 2026, Binance’s name has appeared in two significant data events regardless of whether either originated inside their systems. The world’s largest crypto exchange by volume is the highest-value target in the sector. That is not going to change.
What can change is how users protect themselves. Hardware security keys are the gold standard for 2FA. Authenticator apps are the realistic middle ground. SMS is not enough anymore, and this leak is a specific, documented reason why.
