Security issue with XTB

Karol Mazurek
6 min readApr 12, 2024

Problem with lack of 2FA on the XTB exchange platform.

This is a short blog post whose primary purpose is to draw attention to the need for 2FA to be implemented wherever there is a cash flow or sensitive user data on any platform or application.

By writing this, I also want to encourage everyone to use 2FA whenever possible so it is harder to hack you when your password is leaked.

I am also sharing my opinion here at the very beginning on how not to write security-related emails to the platform users.


Today, I received an unpleasant message from XTB support saying that my password was leaked. Below, I underlined 5 sentences from this mail that I would like to discuss here while expressing my opinion about them:

The message starts by saying (1) the customer’s web browser cached data may have been publicly disclosed online. Then, they say (2) their security systems have not been compromised. Lastly, (3) they blamed the end user while whitewashing themselves for the second time.

What is wrong?