Bitcoins worth $87,000 plundered in brazen server breach
Unknown hackers broke into Bitcoinica, a site that trades the virtual currency.
More than $87,000 worth of the virtual currency known as Bitcoin was stolen after online bandits penetrated servers belonging to Bitcoinica, prompting its operators to temporarily shutter the trading platform to contain the damage.
Friday’s theft came after hackers accessed Bitcoinica’s production servers and depleted its online wallet of 18,547 BTC, as individual Bitcoin units are called, company officials said in a blog postpublished on Friday. It said the heist affected only a small fraction of Bitcoinica’s overall bitcoin deposits and that all withdrawal requests will be honored once the platform reopens.
It was at least the second time in 10 weeks Bitcoinica has been stung by a computer intrusion that has cost it dearly. In early March, a security lapse at cloud services provider Linode allowed hackers tomake off with about $210,000 worth of bitcoin after they gained unauthorized access to bitcoin wallets stored by Bitcoinica and seven other customers. Last June, an anonymous person claimed to havelost $500,000 worth of bitcoin to online thieves, but the claims were never independently verified.
“It is with much regret that we write to inform our users of a recent security breach at Bitcoinica,” Friday’s blog post stated. “The overwhelming majority of our bitcoin deposits were not stolen. The thief stole from us not you. All withdrawal requests will be honored.”
The post went on to warn that a database storing user names, e-mail addresses, and account histories was also accessed, and it also suggested cryptographically hashed passwords may also have been compromised. It advised customers who reused their Bitcoinica passwords on other sites to change them. Documents used to legally verify users’ identities are stored on separate servers at a separate data center with a different encryption regimen.
“Even full access to website database would not give the attacker access to this data,” the post stated. “We will have more to say soon about the circumstances surrounding this attack and what we will do to handle it.”
Ars has sent e-mails sent to Bitcoinica CEO and lead developer Zhou Tong and other officials seeking comment for this article, but hadn’t received a response by time of writing.
According to comments Tong left in an online forum, hackers penetrated a webserver hosted byRackspace after they managed to reset a password, most likely through an automated e-mail. Other participants in the discussion castigated Tong for not relying on two-factor authentication to manage the account. They also criticized Bitcoinica for storing such large amounts of liquid currency online, rather than keeping it offline and in an encrypted format. Tong didn’t address the authentication issue, but he defended the decision to store such a large amount of currency online.
“The sum of margin balance is the absolute minimum of funds we have to keep (so that we can honor every withdrawal request),” Tong explained. “Since the system is down at the moment, we don’t have the knowledge of open positions. We’re pretty sure that margin balance can be covered with our off-site reserves, but we are unable to determine value of unpaid unrealized profits and the unpaid swaps.”
Other participants complained that the theft of such a large amount of bitcoin threatened to devalue the currency. At time of writing, those fears appeared to be unfounded, with the value of a BTC remaining largely unchanged at about $4.94, according to current exchange rates.
Bitcoin is a digital currency that’s transferred through a peer-to-peer network, making it virtually impossible to trace those who use it. Strong cryptographic controls ensure that once bitcoins are spent they can’t be taken back, although a recently published research paper reports limitations that allow the same bitcoins to be double spent in certain cases (which Bitcoin developers say they’ve long warned users to avoid).
The March heist that hit Bitcoinica also affected several other trading platforms that have also lamented the necessity of storing large amounts of the currency in liquid form in “hot wallets” to automatically cover payout requests made by customers. Also hit in the earlier Linode breach was Gavin Andresen, the lead Bitcoin programmer, who lost about $25 worth of the currency.
He told Ars at the time that he’s working on an update to the Bitcoin framework that would largely prevent such thefts by requiring “multisignature transactions.” Under such a system, wallets would contain only one of two private encryption keys needed to spend coins, with the other residing on a separate machine at a different location.
Andresen didn’t immediately respond to a request for comment on late Friday.
–Note: Apparently, the attacker hinted at a ‘mass leak’ in the near future. This attack comes shortly after a leak of a different sort — an FBI document (PDF) about Bitcoin found it way onto the internet. It seems they’re worried about the virtual currency’s potential use in criminal activities. Check out some of the comments users have been posting about this on arstetechnica and slashdot.