Bitcoin Forum

Bitconica has been refrenced in about 1 out of every 10 or so posts I've read. Can anyone give me a quick (or long) summary as to what happened? Can anyone explain this whole hack?

thanks
-albertdemorcerf

As promised we are providing further details surrounding the recent security attack on Bitcoinica.

The hacker was successful able to access an email server. This gave the attacker access to info@bitcoinica.com which in turn allowed them to reset passwords with our hosting provider, Rackspace. From there, they were able to change root passwords, steal the private keys of our hosted bitcoin wallet, and compromise our online database.

In the past, Bitcoinica has been victim to the poor security practices of an irresponsible hosting provider. In this case, the fault was entirely ours. Specifically, here's how things went wrong:

1) We had too many bitcoins in our online wallet.

In light of past experiences you might say this is inexcusable. You would be right. Our practice was to keep online balances to a minimal amount by periodic transfer to offline storage. However, this was a manual process and the online balance could grow quickly and unpredictably from user deposits. We should have had an automatic process or an alert system to prevent the online wallet from growing too large. Indeed, that was planned, but it didn't happen soon enough.

2) Access control and server security did not get the proper attention

Since administrative email accounts can receive password reset links from Rackspace, the administrative contact should have been a secure email address, it was not. Access to this email account should have been limited to administrative personnel.

3) We did not retain needed expertise fast enough

As many of you know, Bitcoinica began as a small project by a solo founder. The advanced trading experience that Bitcoinica brought to the world would not have been possible without Zhou Tong's brave innovation. In light of rapid growth, it was prudent to bring in a larger team with diverse technical specialties, including security. This occurred officially last month when the Bitcoinica Consultancy team stepped in as managers and operators of the business. A transition period ensued. A new platform was conceived which would strengthen Bitcoinica in the long term but took focus away from the present system in the short term. The recent security breach was not beyond our team's skills to prevent. We know better. But we did not address relevant issues as quickly as was needed.

So, what are we going to do about it?

We are choosing to leave Bitcoinica offline until such time as a new platform can be built and tested with security best-practices built-in from scratch. We do not yet have a firm estimate for availability but it will most probably be measured in months.

We will set up a process in the short term for users to withdraw their funds. Further details will be provided once we determine the best approach.

We thank you in advance for your patience. And we humbly apologize for this incident.

The website itself doesn't do a bad job explaining what happened.

Is bitcoinica currently operating?

Claims
We apologize for this incident and the inconveniences it has caused. The incident happened during a transition period, which was initiated to bring Bitcoinica up to a professional level of security. Bitcoinica will not continue operations until the transitional process been completed.

I think they plan on starting up again if they can pay it all back first.
Would you trust them?

...blah, blah, blah...We thank you in advance for your patience. And we humbly apologize for this incident.

Update: Bitcoinica is currently considering selling Chinese relics to help compensate those... Nevermind! It seems some hacker just stole our relics.