Bitcoin Forum

Well, is not like that, But it looks that Bitinstant was hacked.

http://www.finextra.com/News/FullStory.aspx?newsitemid=24607

So sell your BTC now, so I can buy more.

12 000 dollars, really? my grandma gets regularly hacked for more money.

+2 for piramida.. I lol'd at this and the 'religion permits you from using google'

Well played sir.

12K USD was an unfortunate loss, but I do think that this also showed that BitInstant had security measures in place, it could've been worse. This sounds like basically one of the worst things that can happen.

But now that this vector of attach has been revealed, it's time to learn and secure it even more.

Hosting companies and the like have become fruitful attack vectors.  A lot of them clearly don't take security seriously enough if you can call up or write in with a close enough looking email address and get elevated rights.

Well - for the average customer - security is good enough - bitcoin businesses on the other hand has a lot higher demands for security.

The article doesn't explain the vector from getting access to domain registration administration via the domain registrar, to how the Bitcoins were stolen.  It isn't obvious what this vector would be, and must depend on the specifics of Bitinstant's setup.  Does anyone have more details on this?  Was it actually that they got access to a virtual server?  In which case, why are Bitinstant using virtual servers hosted by someone else?

A good question - perhaps Bitinstant can answer it ?

It wasn't the hosting company it was the domain registrar, they used Site5 to register the domain and the hacker convinced them to hand over control of the domain name to him/her. IMO it isn't such a good idea to use Site5 to register domains seeing as it isn't actually an accredited registrar but a reseller for eNom.

I've seen similar happen before, I don't know the exact details of this attack, but the problem of using a reseller like Site5 is that eNom, the actual registrar, don't have the customers details on file, and a hacker can contact eNom directly claiming to own the domain and they would have no idea if its true or not.

+1 for BitInstant

unfornately to BitInstant, but it seems their security practice prevented a much bigger disaster.

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

I've tried to use bitinstant several times in the last couple days, but there's always an error. ???

Thanks for the link Gareth

the description of the hack sounded like an awful lot of work and risk for only 333 BTC. Where i live, you earn that easily in three months of honest work as a developer.

Maybe it was just an attention touch.

Well if it originated in Russia it could be an annual salary; but nevertheless, obviously thiefs were aiming for more, but that's the most they managed to get out in that 12 hours or how long they owned the domain. The hack itself cost hundreds of dollars, so it definitely paid off anyway.

There is a good lesson in all of this. Don't register your domains with cheap shops. Keep your security questions unguessable. No, you don't have to use your actual mother's maiden name.

Roll on the day when we can securely register names via some kind of global proof-of-work-based transaction log, providing a secure basis for every aspect of name registration.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first.

What was the ToS and what is the law in the country the company is based in? Don't repeat Bitcoinica's, Slush's and others' mistakes IIRC they didn't try to recover the money (almost a quarter of a million $) via legal routes.

I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.

It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.

Again, not commenting either way until seeking legal advice, customers aren't affected by this so it's not as high priority as it would be if we'd lost customer funds. Basically, it's BitInstant that takes the hit, not our clients.

Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.

Agreed though it wasn't BitInstant's security which was compromised it was VirWox.

VirWox WTF are you thinking?   It is 2013.   Implement 2FA on your exchange or shut down.  Period.   

Well, if you DO manage to regain the lost money let us know on the forums and how you did it, it might be useful to some.

Comment from Site5


I guess it only takes 2 security questions to gain access. Is this typical for site registrar's? I would think something as important as a business website would be protected by more then 2 questions.

Security questions are about the dumbest kind of "security enhancement" out there. Especially when they are used as a way to get around a password (I can keep a password secret, I can't keep my mother's maiden name secret and any question which isn't public record is probably easily findable (favorite authors, bands etc) or has been used on a dozen other sites). It's like the people implementing security out there (or at least the people in charge of them) are sheep, only able to consider and adopt the latest fad non-security measure and not able to sit down, read some papers and comprehend and work things from the ground up.

DAMMIT THESE ARE SOLVED PROBLEMS, PEOPLE!!!

Sorry for the rant.

Goes to show how competent Site5 is.
This is seriously not BitInstants fault

This was explained in the blog post but essentially they redirected emails to a server under their control and got sent a password reset link.