Bitcoinica Warning: Please do not re-use any old Bitcoin deposit addresses

[zhoutong]

Source: https://www.bitcoinica.com/posts/warning-please-do-not-re-use-and-old-bitcoin-deposit-addresses

Dear Bitcoinica Users,

PLEASE DO NOT RE-USE ANY OLD BITOIN DEPOSIT ADDRESSES

Many of you have heard that several bitcoin services were victims of a recent Linode security breach today. Unfortunately, Bitcoinica is also among the services affected.

On 2013-03-01 at 6:30 UTC, our "hot wallet" hosted at Linode and containing over 10,000 BTC was emptied.  The unauthorized access is consistent with that experienced by other bitcoin services, described by Linode as unauthorized access from Linode's "customer support interface".

PLEASE DO NOT RE-USE ANY OLD BITOIN DEPOSIT ADDRESSES

Customers should not use any bitcoin addresses previously used to fund their Bitcoinica accounts.

We must assume that the thief has retained private keys associated with old bitcoin deposit addresses. This would allow them to access any new bitcoins sent to old deposit addresses. As of now, our website will only display new deposit addresses which are not affected by this. However any old bitcoin addresses which you may have recorded for convenience should never be used ever again. This is the most important thing:

PLEASE DO NOT RE-USE ANY OLD BITOIN DEPOSIT ADDRESSES

Other important things:

- Customer funds will not be affected.

Bitcoinica is committed to absorbing any loss. The thief stole from us, not you.

- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.

Less important things:

This is a very unfortunate event. To support instant withdrawals for customers, our “hot wallet” balance was necessarily higher than other services. As such the impact to us is larger. However, Bitcoinica is financially sound and our customers will not be affected.

Linode has been a well-respected hosting provider. We have reached out to them to be as cooperative as possible in helping them identify the security breach that led to this incident, but have not yet received a response.

We hope we can soon report their full cooperation in recovering this loss.

Thank you to our customers for your support.

[1715573500]

1715573500

[cypherdoc]

Wow.  Bitcoins sure are popular today.

[Eveofwar]

Wow.  Bitcoins Linode sure are is popular today.

FTFY

[notme]

more and more worthless with every theft.

Nope.

[Electricbees]

I've been wondering what happened... This is very unfortunate.
As is everything I'm seeing on this forum as of recent, God dammit...

I hate thieves. That is all.

[notme]

yep.

Then why has the price not dropped at all on this news... It has instead been fairly bullish today.

[koin]

Many of you have heard that several bitcoin services were victims of a recent Linode security breach today. Unfortunately, Bitcoinica is also among the services affected.

et tu, zhou-te?

there's more coming too i bet.

[proudhon]

yep.

Then why has the price not dropped at all on this news... It has instead been fairly bullish today.

You better hope the thieves actually want bitcoin and not USD.

[notme]

yep.

Then why has the price not dropped at all on this news... It has instead been fairly bullish today.

You better hope the thieves actually want bitcoin and not USD.

Or they could want thousands of other things you can get for BTC.

[Eveofwar]

yep.

Then why has the price not dropped at all on this news... It has instead been fairly bullish today.

You better hope the thieves actually want bitcoin and not USD.

Or they could want thousands of other things you can get for BTC.

proudhon is just praying for the short

[cypherdoc]

the point is the thieves consider Bitcoin valuable.

[Hunterbunter]

People have been stealing USD since they were first created. Has that stopped people using it?

[finway]

That's why

we should support BIP16 as soon as possible...

[proudhon]

People have been stealing USD since they were first created. Has that stopped people using it?

No, but if somebody steals a bunch of USD I can still go to the store the next day and buy the same amount of stuff I could the day before with the USD I have.

[Littleshop]

People have been stealing MONEY since they were first created. Has that stopped people using it?

FTFY

[ineededausername]

hmm

Too late

[proudhon]

Z i dint get any email from you about this



Z will Linode will give you 50 000 USD ?

The Linode's user agreement says, "no".

[bitcoinBull]

damn.  hot wallet is hot.

[da2ce7]

@ zhoutong

What is the tx id of the lost coins?

[acoindr]

Z i dint get any email from you about this



Z will Linode will give you 50 000 USD ?

The Linode's user agreement says, "no".

I'm sorry but this looks like an inside job at Linode to me. There is also the theft from slush and the bitcoin faucet (and who knows who else), so a total of over 13,000 BTC or about 65K USD market value. Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

[Nefario]

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

[proudhon]

damn.  hot wallet is hot.

Zs hot wallet was hot.
And now his hot wallet is not.

[pirateat40]

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

I disagree, whatever happened, happened today.  I move coins all the time in and out of bitcoinica without an issue.

[Eveofwar]

@ zhoutong

What is the tx id of the lost coins?

+1

EDIT:  http://blockchain.info/tx-index/2873808/0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 ?

[malevolent]

The Linode's user agreement says, "no".

That doesn't mean they Linode can't be sued and forced to reimburse the losses.

[kiba]

The Linode's user agreement says, "no".

That doesn't mean they Linode can't be sued and forced to reimburse the losses.

It would need to be worth the lawyer fee to sue.

[bitcoinBull]

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

I figure he wanted to host the site, with user information and all, separately from the wallet.  That way if the site gets penetrated (which one would think is more likely since it has more attack vectors), the wallet would still be secure.

damn.  hot wallet is hot.

Zs hot wallet was hot.
And now his hot wallet is not.

Au contraire, now its even hotter.

[kurtosis]

That's why

we should support BIP16 as soon as possible...

Actually no.  This too will pass.  Bitcoin is a multi-decade project, and once technical decisions are written into the blockchain they are very hard or impossible to reverse.

Hence, it's much more important for the dev team to resist artificial time pressures and focus on making the right decision for the long-term, even if they need to take longer in the short-term to fully understand the ramifications and consequences of crucial technical decisions.

[evoorhees]

Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.

[DeathAndTaxes]

more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.

[finway]

That's sad.

[kurtosis]

- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.

I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.

[marked]

Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked

[btc_artist]

Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.

+1;

[acoindr]

Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked

True, but that still implies beforehand knowledge or a guess that large BTC sites would have a host in common. Then upon gaining the target is it really that inconsequential to gain such high level access to Linode, such a respected Linux host, as evidenced by them being a common denominator among sites? (although I suppose that could be the basis for such a guess... but still, then to easily gain access? Either Linode is guilty or they shouldn't be hosting anyway.)

[Raoul Duke]

more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.

Couldn't agree more with you even if I wanted to

[zhoutong]

- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.

I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.

All customer passwords were encrypted with BCrypt. It's almost impossible to brute force even when the database is compromised.

Currently we require manual password reset because we want to evaluate the risk levels of password reset before we take actions on any accounts. E-mail shouldn't be the master key to everything.

[btc_artist]

All customer passwords were encrypted with BCrypt.

The correct term is "hashed", not "encrypted". Huge difference.

[cypherdoc]

All customer passwords were encrypted with BCrypt.

The correct term is "hashed", not "encrypted". Huge difference.

i sure hope Zhou knows the difference 

[btc_artist]

All customer passwords were encrypted with BCrypt.

The correct term is "hashed", not "encrypted". Huge difference.

i sure hope Zhou knows the difference 

Well, he mentioned BCrypt, which is a hashing function, not an encryption function.  I think he just inadvertently used the wrong term here.

[zhoutong]

All customer passwords were encrypted with BCrypt.

The correct term is "hashed", not "encrypted". Huge difference.

You're right. I made a mistake here. It should be "hashed".

[graingert]

Have you had your cert re-keyed? http://help.godaddy.com/article/4976?locale=en

[roomservice]

When does deposits into new addresses show up in my account? I'am waiting for about half a day now :>

[occulta]

zhoutong you were asking for this, vulnerabilities in your site i even pointed out from the start, it was only a matter of time before you make another mistake. (hosting coins on a cloud/vps based service)

[farfiman]

damn.  hot wallet is hot.

Zs hot wallet was hot.
And now his hot wallet is not.

Proudhon= Dr.Seuss