A Bitcoin exchange service was victim of a security breach over the weekend in a heist that yielded 18,547 BTC to unknown hackers. A post on Bitcoinica's official blog detailed that its servers were compromised and, following the complete draining of the service's online wallet, caused Bitcoinica to halt all operations while they figure out what went wrong.
Bitcoinica makes clear that the theft was from them and not from Bitcoin users, assuring them that all withdrawal requests will still be honored.
According to Zhou Tong, who founded the exchange service, posted on bitcointalk.org that the Bitcoinica team had noticed a suspicious transaction that wasn't initiated by any of the company owners. The next morning, an update was provided:
- It's more serious than we thought. We need some additional time to come up with a compensation proposal.
- Likely we will either shut down the platform or re-develop entirely (which will take months instead of days).
- The preliminary decision: reimburse for the full amount, including margin balances and position P/L.
- The root cause of this problem is an email server compromise. The email server belongs to one of our team members.
- Reminder again: Please do not reuse your Bitcoinica passwords as the database server was compromised. Do not click any links in the email. All Bitcoinica announcements will be updated on Bitcoinica website when available.
Skip ahead to this morning and Zhou Tong posted another comment in bitcointalk.org detailing how he suspects the hack-heist happened.
Update: How the hacker hacked Bitcoinica
I don't think this should be a secret, so I would just share my version of the story.
- I received several emails regarding password reset and finding out the username for our Rackspace account.
- I initially thought it was Patrick, because he did a password reset a few days ago, but I became suspicious when I realized that someone forgets the username of the account! (So it must not be Bitcoinica team member.)
- I immediately set the password back, and log in to the account. I SSH'd into the Bitcoin wallet server and found that everything is gone.
- This thread was posted and I tried to contact Rackspace the lock down the account.
- They suspended all servers, so that the hacker couldn't log in. However, despite two password changes and server suspension, the hacker is still in the session. I asked Rackspace to terminate his session but it seems that they don't know how to do it.
- The hacker recreated the server using our database backup, and possibly got the database successfully.
- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to email@example.com were delivered to his compromised email account.
- We are now working on a settlement plan. Patrick is in charge of the claim page.
If anything of the following happened this would be prevented:
- Patrick's email was not added to the mailing list, and he used Bitcoinica email instead.
- Rackspace should just terminate the sessions then at least the database would be safe.
- We should not use the official Bitcoin client because it's very hard to secure it without large investments and affecting instant withdrawals in large amounts.
For those keeping score at home, the 18,547 BTC roughly equates $91,993.12 US dollars (Note: Ars Technica reported on Friday that the exchange value of the stolen Bitcoins was $87,000; my calculation of $91,993 is based on the low end exchange rate for today obtained from Mt. Gox. Since that's what's current today, that's what I'm sticking with) so as you can imagine, some people are peeved about the security breach as a few see this as a breach born of negligence. However, as Gaven Andresen stressed when I spoke with him about the Bitcoinica theft, you shouldn't really invest in Bitcoins unless you can afford to lose some money as the online currency is still in experimental stages. "I'll repeat something I've been saying for quite a while now: treat Bitcoin like you would a high-tech startup company. Only invest time or money that you can afford to lose, and expect there to be lots more ups and downs as Bitcoin infrastructure is created and matures."
While some people appear to have ignored that caveat, Zhou Tong has said that Bitcoinica intends to return all balances and unrealized profit and loss. However, things get a little complicated because Bitcoinica was sold to another Bitcoin exchange service, Intersango, about three weeks ago.
Communication between Bitcoin users and Intersango seems to be a little obtuse. Zhou Tong makes clear in one of his updates that he is merely an employee of Bitcoinica but when I asked Intersango for comment, the team replied, "We are currently restricted in things we can say and are helping Zhou to release statements," suggesting that Zhou's comments are supported by Intersango as official statements.
While a Bitcoin theft like this should be expected at this stage of the online currency's lifespan, it looks particularly bad for Bitcoinica because this is the second time in less than three months that the company has been hacked.
It's unfortunate that Bitcoinica fell prey to hackers not only twice but twice within a relatively short amount of time. Such security breaches aren't really doing the Bitcoin network in favors insofar fostering consumer confidence in the currency. I spoke with Rob Rachwald, director of security strategy at Imperva, who speculated on how such the heist could've been prevented. One, he said, it isn't typical protocol for a company to be using an employee's personal server. "You'd never find something like this at a place like Wells Fargo," he said.
Rachwald also concurred that security breaches like this - especially within close proximity of each other - undermine the public's confidence in online currency such as Bitcoin. However, he added, the public's hesitation to warm up to Bitcoins right away isn't too far off from the way people were originally skeptical about online banking.
In the meantime, Bitcoin users, be patient with your online money and be frugal with your investments.