Coinbase account hacked - sucks :( What should I do differently?

[az14876]

Beginning of December I jumped into the BTC fray, started with 3 BTC.  I figured I was long on these and *should have* converted these to paper, but let them sit there for the time being.

I turned on 2-factor authentication with Authy, and I did turn on my API to run a Windows app (Bitcoin Tradr) so I could have a running ticker on my metro panel.  I completed all the verification steps with Coinbase so I could start instant purchases down the road. Also, I downloaded the COinbase app to my Android phone.

Fast forward a month... I'm out working in the yard this afternoon and my email alert goes off and my heart jumps into my throat: 3 BTC transfered to a unknown wallet and Coinbase shows a pending transaction for 1 BTC and that was already transferred out as well.  Rush to the laptop, no BTC in my account, one pending purchase, and a total of 4 BTC moved out.

Immediately remove my bank account and credit card info from Coinbase.  No transactions showing on their websites, but I'm sure something will hit in the next day or two - both the bank and the backup credit card said they cannot preemptively stop a EFT transaction, so... dispute as fraud when it hits?

About 2 hours ago, looks like a bunch of new wallets were created on my account, not sure why...

Disabled API key, changed password, email Coinbase - no response as of yet.

The receiving wallet is 18XmFQ6YCsJDbtBxvQcNgyUNwh8MkpoMv4 - what's weird is when I look at account activity my IP address is the only one listed.

So, where'd I go stupid (besides failing to convert to paper) - was it the Bitcoin Tradr app? Is there a weakness in Coinbase's API hosting?

I figure I'm SOL on at least the three coins, the fourth one is kindof up-in-the-air, Coinbase may have to eat that one. If anyone has any sage advice I'm all ears...

[AKAnotOutkast]

this is what happend to me-

Just want to inform other users of cryptsys lack of security. I had 7.8 primecoins stolen and sold on cryptsy last night, and there system let it happen. heres how it worked-
#1 I didn't use 2 step auth as I thought the email withdraw verification would stop unautherized withdrawals. my mistake for trusting crypsty withdraw process.
hacker was able to gain access to my gmail account. with this he/she was simply able to use 'forgot password' to reset my password, with access to my email user was able to simply log on with new temporary password.
upon logging on user changed my email confirmation address (so i guess cause i never got a confirmation email) they changed confirmation email address, went directly to my XPM balance, sold coins, went directly to BTC balance and withdrew btc to their btc address, then they must have changed my confirmation email back to the origainal.
Now, i am wondering how all this can happen and not set off a red flag, If i noticed a draining of an account IMMEDIATELY after a password reset AND immediately after changing a withdraw verification email address, wouldn't this be a RED FLAG?
Cryptsy response is #1 they say after coins left crypsty there is nothing they can do about it. - guess they are not FDIC insured LOL
2 after submitting another ticket trying to get them to give me IP address of the logged on hacker, they replied "Stop submiting so many tickets, your case is being investigated"
?? great customer relations i guess is not in there portfolio
What I have learned - NEVER EVER EVER trust cryptsy. AND never leave coins in your crypsty account. which i don't know how to trade coins profitable since it can take DAYS to process a withdraws or deposit. this is why i left coins i my crypsty account so i could sell once they hit a good price.
AND i figure the hacker musta been a kid, causes if i had keys to the bank i would have waited it the balance was several hundred instead of robbing a bank of $30.
BUT most of you will say, why am i so upset if it is $30. Well this is the 4th time in 2 weeks I have lost coins to a hacker, total lost in 2 weeks $105.. but that is another story.
ALSO i have learned to mine LTC ONLY as this prevents the need for crypsty.

[odolvlobo]

Never leave coins in someone else's wallet. You are going to lose them.

[motatoys]

always store your coins in a offline wallet

[jonanon]

Never leave coins in someone else's wallet. You are going to lose them.

All well and good but for trading there is not much choice, only leave coins that are in open orders, use a different email address for everything! different password for everything and a different user name for everything. Always use 2FA if it's available - even this you're not 100% safe but you should be more protected than you are now.

[az14876]

Well, no response from Coinbase six hours later, but the app developer for Bitcoin Tradr did promptly reply.  They indicated that they've never had a user's account hacked and the API is never stored on their side unless a user opts-in (did I? I don't know... what would a user opt-in for anyways).

A whole host of questions were asked, and there was also the suggestion of a Windows 8.1 vulnerability (but did not expand upon that). The laptop I'm using with their app is literally a week old, brand new shipped from Costco, is hard-drive secured (for work purposes), in my home office, and my wife has no idea what a BTC is, so the transaction certainly wasn't initiated on my local machine or phone. 

Coinbase's website doesn't show any direct activity on their website or mobile site that I don't recognize, so the transaction appears to have occurred external to Coinbase, and the ONLY app to whom I've release my API key was mentioned above.  Barring any super-secret malware or keylogger that has yet to be detected, all signs point to my API key compromising my account, and likely through the app somehow.

I did manage to close the attached bank account and backup credit card that was verified for instant purchases, so Coinbase is going to eat the $900 transaction.   

Anyways, such is the beauty and curse of BTC.  Things I'll do differently next time: NEVER release my API key, and convert to paper if long on BTC.

Guess I'll wait for another bubble dip and buy back in.  I'd like to know who basically stole 4 BTC from me so I can swing by their place, shake their hand for being so slick then break their knees... 

[ninjitsu]

I would recommend immediately formatting your hard drive and reinstalling your OS after backing up your critical files.  connect to the internet initially after reboot only for patch updates and maybe even call your ISP to ask to provide you with a new IP.

[digitalminer407]

WOW!!  Sorry to hear that!!   

I would remove the app on your phone because I also have heard of an error with Android and a back door hack that allowed access to peoples phones which in turn caused others to lose bitcoins.

I am surprised about Coinbase.......use them as well and chose them because they are U.S. based. 

I hope karma works in your favor.........bad luck to all the bitcoin theives out there!!  It is a shame people have to steal. 

[gigacoiner]

I thought coinbase made it now so that you need to enter 2 factor authentication code before sending coins out.

I turned on 2-factor authentication with Authy, and I did turn on my API to run a Windows app (Bitcoin Tradr) so I could have a running ticker on my metro panel.  I completed all the verification steps with Coinbase so I could start instant purchases down the road. Also, I downloaded the COinbase app to my Android phone.

[az14876]

WOW!!  Sorry to hear that!!   

I would remove the app on your phone because I also have heard of an error with Android and a back door hack that allowed access to peoples phones which in turn caused others to lose bitcoins.

I am surprised about Coinbase.......use them as well and chose them because they are U.S. based. 

I hope karma works in your favor.........bad luck to all the bitcoin theives out there!!  It is a shame people have to steal. 

Yeah - over dinner I tried to explain BTC to the wife and why it's not like the bank or PayPal that I can simply call and dispute the transaction.  After a few moments she asked why I wasn't totally pissed about losing $3k... I couldn't do anything but chuckle about it.  That's not to say I'm not pissed, but no use staying mad about it. This does mark the first time I've been jacked on a financial transaction via the internet - talk about crap timing.  I'm trying not to be discouraged about BTC, but I'm just sitting here scratching my head as to how I could've better protected myself.

I thought coinbase made it now so that you need to enter 2 factor authentication code before sending coins out.

I turned on 2-factor authentication with Authy, and I did turn on my API to run a Windows app (Bitcoin Tradr) so I could have a running ticker on my metro panel.  I completed all the verification steps with Coinbase so I could start instant purchases down the road. Also, I downloaded the COinbase app to my Android phone.

You'd think - but assuming that access was obtained via API, then apparently there's a loophole there.  Again, I make that assumption because the network activity per their website shows nothing but just my IPs logging on since the account was created. I don't keep my Authy codes laying around (write them down, screenshots, etc.) so the only other access weakness could be the Android phone?  I wouldn't even know where to start.  That's another lesson learned I guess is never engage in BTC transactions via smartphone. Until Coinbase responds with more information, I don't have much to go on and it doesn't sound like the web app developer has any method to audit or recall transactions (or if they do, they haven't expressed any interest in doing so).

Bah...

[cryptic4000]

Sorry to hear about your loss.

Suspect#1 API to run a Windows app (Bitcoin Tradr)
Suspect#2 Mobile App

I have 2 factor authentication with Coinbase, but no API stuff. I never use the coinbase mobile app as well.

[coolz]

always store your coins in a offline wallet

That!

Dont trust anyone with money like that Even though its virtual, treat it like its paper.

[az14876]

Coinbase finally replied; they cancelled the transaction for the 1 BTC purchase, but since it was already sent out, looks like they're eating that purchase.  SOL on the other 3 BTC as figured.

They indicated the activity was through my API from IP 66.18.12.197 in Dallas, TX.  That's about all the information they had.

The Bitcoin Tradr app developer also replied, went through a whole series of explanations to defer blame from them, including:

• My two-week old laptop was compromised during shipping from Costco and malware inadvertently installed and that my attempts to identify malicious software would be met with an 80% failure rate and I'd likely not know if I was ever compromised; and/or
• Suggesting that it was a close friend/family member/someone I personally know that jacked me; and/or
• Coinbase has weak API security

I guess that pretty much closes the chapter on this ordeal (unless someone can trace an IP to a specific physical address/person in Dallas; flights are cheap  ). Life goes on: convert to paper if long, don't release the API key to anything for any reason, and Bitcoin Tradr and Coinbase are blacklisted forever.

[hopper21]

WOW!!  Sorry to hear that!!   

I would remove the app on your phone because I also have heard of an error with Android and a back door hack that allowed access to peoples phones which in turn caused others to lose bitcoins.

I am surprised about Coinbase.......use them as well and chose them because they are U.S. based. 

I hope karma works in your favor.........bad luck to all the bitcoin theives out there!!  It is a shame people have to steal. 

I have not yet got my first android phone, but have recently been  considering it. The big worry for me is the fact they seem to be easier to hack than bog standard phones. Could you tell me which app came with a back door hack because I never want to install it.

[m1hlm]

u can use wallet in your mobile now i think is more secure