WingNews logo WingNews GitHub [2]
top | item 7034176

2+ coinbase accounts hacked, 20k+ stolen, coinbase offers no help

5 points| Psyonic | 12 years ago

Cross-post from reddit, but worth posting here.

Reddit link: http://redd.it/1uk37k

tuttle123's hack story: http://www.reddit.com/r/CoinBase/comments/1uk37k/coinbase_account_was_hacked_16000_stolen_3_weeks/cejcq8p

Woke up December 15th, check my email and to my horror see "You just sent X BTC..." and "The X BTC you just purchased..." emails in my account. In the span of 3 minutes, the hacker sent the 10BTC I had in my account out, then made instant purchases and transactions of 5 BTC, 3 BTC, and 2 BTC.

Blockchain transactions:

~10 BTC: https://blockchain.info/address/12VvMbLGRAiBYK8fxqNNKEFA3xdapaFhJR

5, 3, and 2 BTC here: https://blockchain.info/address/1PQRoB6sK5MMDQ1WTd4awxsok24gMVSERA

I report this to coinbase through their ticket system. 24 hours later, they sent me some questions. I'll summarize my responses: 1. I had a complex single-use account password. 2. Was not using API, though did have iphone mobile app. 3. Used 2FA with Authy, which never left my side.

I heard nothing from CoinBase for 3 weeks.

A few days ago I received this response:

"I'm very sorry to hear this. It appears that an attacker was able to access your account by using your API access key. While disabled by default, it's imperative that this information be stored securely once enabled. If someone obtains this number they would be able to send all of the bitcoin out of your account."

To reiterate, I didn't enable API access beyond their own mobile app. Apparently I'm out of luck. I don't believe I was particularly negligent here, and their lack of any help (even info, etc) is very frustrating.

I'm happy to answer any questions, here or elsewhere. Advice or recommendations definitely appreciated.

20 comments

order
[+] argonaut|12 years ago|reply
https://news.ycombinator.com/item?id=5428757

> HN is a news site, not a customer support forum for companies funded by YC, and in fact the site guidelines explicitly ask that it not be used that way:

[+] Psyonic|12 years ago|reply
I respect that, but unfortunately it seems like the only way to get a response.
[+] Nanzikambe|12 years ago|reply
They did offer help, they told him the IP used by whomever initiated the transfer, he's crying over the fact they didn't give him back his BTC.

Given the information provided I'd say it's highly likely his mobile device was the attack surface used. I don't use Coinbase, but a glance at their API docs makes it appear that the API key alone isn't sufficient to initiate a transfer since authentication is required.

If that's the case, this is analagous demanding a refund from your bank when your account was emptied because you lost your wallet, ATM card and a postit note with the PIN # written on it.

nbs

[+] Psyonic|12 years ago|reply
Actually, they didn't tell me the IP address. That X was in the original email.

Also, my phone has a password on it, and the coinbase app and my Authy app both had passwords on them.

So actually, your scenario isn't analagous at all. But thanks for automatically assuming I'm to blame!

You honestly think it's entirely reasonable that someone was able to get past 2FA, take all my coins (+ purchase more) with no security check, and then to have CB give me nothing but radio silence for 3 weeks? Literally not a single word? And then finally tell me "That sucks."?

[+] zaroth|12 years ago|reply
Welcome to Bitcoin, where giving up your private keys is synonymous with donating your Bitcoin to the thief who will eventually, inevitably, rob you.

Feel free to sue Coinbase for stealing your money, although it will understandably be hard to prove.

Your best bet is to monitor the Blockchain and hope the coins hit another third party service, you can try to order them to seize the coins.

More than likely they will get mixed beyond recognition before that point, but it's not without precedent (see StrongCoin)

[+] Psyonic|12 years ago|reply
Ya that's the biggest issue for me. They have all the evidence. They haven't even given me the IP used to make the transactions.
[+] electic|12 years ago|reply
Banks do this all the time. They notice fraudulent transactions, call you, or block the transaction outright till they can investigate. The fact that this happened, no one called, no one checked, reduces the faith in the service.
[+] Psyonic|12 years ago|reply
Not to mention that after it happened, they won't even so much as respond to my emails.
[+] Psyonic|12 years ago|reply
UPDATE: CoinBase eventually concluded that my API key may have been exposed due to a security flaw that they've since patched. They decided to refund me, and my coins have been returned. Thanks CoinBase!
[+] byoung2|12 years ago|reply
Does API access need to be enabled in order to use the iPhone app? I have API access disabled on my account, and I use the Android app.
[+] OafTobark|12 years ago|reply
I have the iPhone app and under my account when I log in via the web, it says API is disabled. I don't recall it requesting to be enabled for access when I set it up originally before the app was pulled.
[+] outragemachine|12 years ago|reply
If crypto-currencies are ever to be widely adopted the institutions involved must be held accountable for these kind of liabilities.
[+] cabbeer|12 years ago|reply
There has been a consistent stream of negative coinbase stories, why do people still trust them with their money?