2+ coinbase accounts hacked, 20k+ stolen, coinbase offers no help
Reddit link: http://redd.it/1uk37k
tuttle123's hack story: http://www.reddit.com/r/CoinBase/comments/1uk37k/coinbase_account_was_hacked_16000_stolen_3_weeks/cejcq8p
Woke up December 15th, check my email and to my horror see "You just sent X BTC..." and "The X BTC you just purchased..." emails in my account. In the span of 3 minutes, the hacker sent the 10BTC I had in my account out, then made instant purchases and transactions of 5 BTC, 3 BTC, and 2 BTC.
Blockchain transactions:
~10 BTC: https://blockchain.info/address/12VvMbLGRAiBYK8fxqNNKEFA3xdapaFhJR
5, 3, and 2 BTC here: https://blockchain.info/address/1PQRoB6sK5MMDQ1WTd4awxsok24gMVSERA
I report this to coinbase through their ticket system. 24 hours later, they sent me some questions. I'll summarize my responses: 1. I had a complex single-use account password. 2. Was not using API, though did have iphone mobile app. 3. Used 2FA with Authy, which never left my side.
I heard nothing from CoinBase for 3 weeks.
A few days ago I received this response:
"I'm very sorry to hear this. It appears that an attacker was able to access your account by using your API access key. While disabled by default, it's imperative that this information be stored securely once enabled. If someone obtains this number they would be able to send all of the bitcoin out of your account."
To reiterate, I didn't enable API access beyond their own mobile app. Apparently I'm out of luck. I don't believe I was particularly negligent here, and their lack of any help (even info, etc) is very frustrating.
I'm happy to answer any questions, here or elsewhere. Advice or recommendations definitely appreciated.
20 comments
[ 3.2 ms ] story [ 31.5 ms ] thread> HN is a news site, not a customer support forum for companies funded by YC, and in fact the site guidelines explicitly ask that it not be used that way:
I am commenting on the rules of HN.
Feel free to sue Coinbase for stealing your money, although it will understandably be hard to prove.
Your best bet is to monitor the Blockchain and hope the coins hit another third party service, you can try to order them to seize the coins.
More than likely they will get mixed beyond recognition before that point, but it's not without precedent (see StrongCoin)
Given the information provided I'd say it's highly likely his mobile device was the attack surface used. I don't use Coinbase, but a glance at their API docs makes it appear that the API key alone isn't sufficient to initiate a transfer since authentication is required.
If that's the case, this is analagous demanding a refund from your bank when your account was emptied because you lost your wallet, ATM card and a postit note with the PIN # written on it.
nbs
Also, my phone has a password on it, and the coinbase app and my Authy app both had passwords on them.
So actually, your scenario isn't analagous at all. But thanks for automatically assuming I'm to blame!
You honestly think it's entirely reasonable that someone was able to get past 2FA, take all my coins (+ purchase more) with no security check, and then to have CB give me nothing but radio silence for 3 weeks? Literally not a single word? And then finally tell me "That sucks."?
What difference does that make to malware/trojans? Presumably they already have those.
To elaborate:
Trojan on phone catches passwords, phones home & hands them over to the malicious user. Malicious user initiates BTC transfer, uses trojan's remote command and control to bypass 2FA. Job done.
From that perspective, whilst CB could see that a person from a given IP accessed and transferred from your account, what do you expect them to do? Come round to your house and forensically dissect your phone and PC to see what went wrong? Even if they did, to what end? It's not their problem, it's yours.
If you want reaction, go report the crime. If you think Coinbase should refund your BTC, take them to court. Heck, do both. The chances of getting your BTC back are slim to none in any case.
This is an iPhone (non-jailbroken.) Are you saying the official CoinBase app had a trojan? Or Authy, the most widely used 2FA app?
If you're actually curious what I think they should do, we could talk about it, but I don't think you care beyond blaming the victim.
What I don't understand is why you assume I MUST have done something wrong. Do you really think it's impossible that this was a weakness on their end?
If 110 million credit cards can be stolen from Target, maybe it's possible API keys can be stolen from CoinBase?