2+ coinbase accounts hacked, 20k+ stolen, coinbase offers no help

5 points by Psyonic ↗ HN
Cross-post from reddit, but worth posting here.

Reddit link: http://redd.it/1uk37k

tuttle123's hack story: http://www.reddit.com/r/CoinBase/comments/1uk37k/coinbase_account_was_hacked_16000_stolen_3_weeks/cejcq8p

Woke up December 15th, check my email and to my horror see "You just sent X BTC..." and "The X BTC you just purchased..." emails in my account. In the span of 3 minutes, the hacker sent the 10BTC I had in my account out, then made instant purchases and transactions of 5 BTC, 3 BTC, and 2 BTC.

Blockchain transactions:

~10 BTC: https://blockchain.info/address/12VvMbLGRAiBYK8fxqNNKEFA3xdapaFhJR

5, 3, and 2 BTC here: https://blockchain.info/address/1PQRoB6sK5MMDQ1WTd4awxsok24gMVSERA

I report this to coinbase through their ticket system. 24 hours later, they sent me some questions. I'll summarize my responses: 1. I had a complex single-use account password. 2. Was not using API, though did have iphone mobile app. 3. Used 2FA with Authy, which never left my side.

I heard nothing from CoinBase for 3 weeks.

A few days ago I received this response:

"I'm very sorry to hear this. It appears that an attacker was able to access your account by using your API access key. While disabled by default, it's imperative that this information be stored securely once enabled. If someone obtains this number they would be able to send all of the bitcoin out of your account."

To reiterate, I didn't enable API access beyond their own mobile app. Apparently I'm out of luck. I don't believe I was particularly negligent here, and their lack of any help (even info, etc) is very frustrating.

I'm happy to answer any questions, here or elsewhere. Advice or recommendations definitely appreciated.

20 comments

[ 3.2 ms ] story [ 31.5 ms ] thread
If crypto-currencies are ever to be widely adopted the institutions involved must be held accountable for these kind of liabilities.
Does API access need to be enabled in order to use the iPhone app? I have API access disabled on my account, and I use the Android app.
I have the iPhone app and under my account when I log in via the web, it says API is disabled. I don't recall it requesting to be enabled for access when I set it up originally before the app was pulled.
It could be that the app uses the api key (despite it being disabled), and somehow someone was able to steal it. I hope it isn't sent in plain text.
I can't speak to their architecture, but the mobile app must be using some kind of API.
https://news.ycombinator.com/item?id=5428757

> HN is a news site, not a customer support forum for companies funded by YC, and in fact the site guidelines explicitly ask that it not be used that way:

I respect that, but unfortunately it seems like the only way to get a response.
Well, it's pretty obvious you don't respect that.
Is it? I tried to work with them for nearly a month directly, but they don't respond to any of my emails. I've seen people post here and get responses. You wouldn't even consider posting if you thought it would help?
You're changing the subject. I have no comment on Coinbase or on what I would do in your shoes.

I am commenting on the rules of HN.

Banks do this all the time. They notice fraudulent transactions, call you, or block the transaction outright till they can investigate. The fact that this happened, no one called, no one checked, reduces the faith in the service.
Not to mention that after it happened, they won't even so much as respond to my emails.
Welcome to Bitcoin, where giving up your private keys is synonymous with donating your Bitcoin to the thief who will eventually, inevitably, rob you.

Feel free to sue Coinbase for stealing your money, although it will understandably be hard to prove.

Your best bet is to monitor the Blockchain and hope the coins hit another third party service, you can try to order them to seize the coins.

More than likely they will get mixed beyond recognition before that point, but it's not without precedent (see StrongCoin)

Ya that's the biggest issue for me. They have all the evidence. They haven't even given me the IP used to make the transactions.
There has been a consistent stream of negative coinbase stories, why do people still trust them with their money?
They did offer help, they told him the IP used by whomever initiated the transfer, he's crying over the fact they didn't give him back his BTC.

Given the information provided I'd say it's highly likely his mobile device was the attack surface used. I don't use Coinbase, but a glance at their API docs makes it appear that the API key alone isn't sufficient to initiate a transfer since authentication is required.

If that's the case, this is analagous demanding a refund from your bank when your account was emptied because you lost your wallet, ATM card and a postit note with the PIN # written on it.

nbs

Actually, they didn't tell me the IP address. That X was in the original email.

Also, my phone has a password on it, and the coinbase app and my Authy app both had passwords on them.

So actually, your scenario isn't analagous at all. But thanks for automatically assuming I'm to blame!

You honestly think it's entirely reasonable that someone was able to get past 2FA, take all my coins (+ purchase more) with no security check, and then to have CB give me nothing but radio silence for 3 weeks? Literally not a single word? And then finally tell me "That sucks."?

> Also, my phone has a password on it, and the coinbase app and my Authy app both had passwords on them.

What difference does that make to malware/trojans? Presumably they already have those.

To elaborate:

Trojan on phone catches passwords, phones home & hands them over to the malicious user. Malicious user initiates BTC transfer, uses trojan's remote command and control to bypass 2FA. Job done.

From that perspective, whilst CB could see that a person from a given IP accessed and transferred from your account, what do you expect them to do? Come round to your house and forensically dissect your phone and PC to see what went wrong? Even if they did, to what end? It's not their problem, it's yours.

If you want reaction, go report the crime. If you think Coinbase should refund your BTC, take them to court. Heck, do both. The chances of getting your BTC back are slim to none in any case.

Dude, what are you talking about?

This is an iPhone (non-jailbroken.) Are you saying the official CoinBase app had a trojan? Or Authy, the most widely used 2FA app?

If you're actually curious what I think they should do, we could talk about it, but I don't think you care beyond blaming the victim.

What I don't understand is why you assume I MUST have done something wrong. Do you really think it's impossible that this was a weakness on their end?

If 110 million credit cards can be stolen from Target, maybe it's possible API keys can be stolen from CoinBase?

UPDATE: CoinBase eventually concluded that my API key may have been exposed due to a security flaw that they've since patched. They decided to refund me, and my coins have been returned. Thanks CoinBase!