Bitcoin Forum
December 15, 2024, 12:17:01 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: CryptoThrift escrow service compromised  (Read 1421 times)
mmsen (OP)
Full Member
***
Offline Offline

Activity: 208
Merit: 100


View Profile
October 07, 2014, 01:00:01 AM
 #1

In the early ours of Sunday 5th October, CryptoThrift was subject to a well-planned and clinically executed security breach.  Our hot wallet was compromised and our attackers managed to steal a little over 15 BTC of funds that were held in escrow.  The nature of the attack was such that it was not immediately clear that anything had happened, which is why it has taken us until today to take action. 

Fortunately the majority of users funds being held in escrow were safe in offline storage, so the impact of this attack was lessened.  Please be assured that any users that have payments or refunds due will be contacted over the next few days and your money will be paid.  The owners of CryptoThrift are absorbing the cost of this.

Whilst we have not yet completed our investigation, we have identified the attack vector as a vulnerability in a third party plugin.  This was used to inject SQL queries into our database and manipulate the amounts on transactions being released from escrow.  What we have not made public until now is that we have seen sustained and almost-daily attack attempts on the site for many months.  We have been in contact with the Australian Federal Police regarding this, and will be sharing with them all data that we have on this attack as well as all previous attempts.

This attack has prompted us to reflect on our security measures, and we have concluded that we need to make some significant changes to our escrow process, our storage of customers funds, and have a third-party conduct a full security audit.  Until this is complete, we feel we have no choice but temporarily suspend our escrow service for our users, as we simply cannot risk holding users funds.  Effective immediately, buyers will no longer be able to choose to use escrow when purchasing items.  All existing transactions that are in escrow will be honored until they are released or refunded.

CryptoThrift is owned and operated by two guys, both with families and full-time jobs, who run this site in their evenings and weekends to try and create something new for the crypto community.  We have made every effort to provide good customer service and have put 100% of all profits back into development, advertising, and marketing.  A such, the cost of this theft is being covered by us personally.  If our attackers wish to do the right thing and return our funds to us, they can do so by sending it back to 19bBwiFrAaCLxZZoS4grTDoFFVszxzvPMo.  If any of our users wish to help, we would gratefully receive donations of support to the same address. 

We must sincerely apologize to our loyal users for this breach and our decision to temporarily remove our escrow service.  It is heartbreaking for us to see our hard work destroyed by cold-hearted, thoughtless, hackers.

Thanks for all your support, and we hope that you continue to use our site. If you have any comments, please feel free to share them on our blog post

Paul & Ahmad
Team CryptoThrift
johncarpe64
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


View Profile
October 07, 2014, 01:15:45 AM
 #2

Very noble of you to cover the cost
r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
October 07, 2014, 01:20:53 AM
 #3

Did you learn your lesson about building commerce related websites on wordpress? We've all been dumb and made mistakes, but the important thing is that you treat this as a learning experience and move away from wordpress immediately, before you get hacked again for the big money.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
PP_Seller
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
October 11, 2014, 09:45:49 AM
 #4

It has been a week now and my bitcoins that my customer paid are still held in escrow.
I have contacted the support and they claim that they will be released when they are done with the "multisig", its been 1 week now they are holding my 400$ worth bitcoins from me, I hope they plan to give me my money or this will be an issue.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!