‘TradeFortress’, the young Australian developer that manages the Bitcoin web wallet Inputs.io, released a concerning statement on his website this Thursday (7): a major hack forced the shutdown of the service after 4,100 BTC were stolen.
Although Inputs.io was supposed to be a high-security digital wallet for the users’ Bitcoins, the administrator claims the platform was hacked in the end of October and cryptocurrency equivalent to $1.345 million at the current exchange rate was stolen. After two weeks, ‘TradeFortress’ has finally started to warn the clients with this message:
Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.
Database access was also obtained, however passwords are securely stored and are hashed on the client.
If you stored more than 1 BTC, send an email to [email protected] with a bitcoin address (preferably, an offline, open source light/SPV wallet likeMultibit or Electrum). Use the same email you’re using on Inputs. Please don’t store bitcoins on an internet connected device, regardless if it is your own or a service’s.
I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.
Apparently, not even the clients who made deposits after October 23rd, the alleged date of the hack, are safe, according to Coindesk. ‘TradeFortress’ told the website that “the attacker was able to compromise older email accounts which were easily reset as they didn’t have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host’s side”.
One of the curious facts about the attack is that, as stated by the site Hacker News, the Bitcoins were ripped from the website’s ‘hot wallet’, the online storage system which processes the live withdrawals. However, this makes it look like Inputs.io was keeping most of “its” cryptocurrency online, while other services often keep up to 80 percent offline.
In a recent interview with an Aussie radio show, ‘TradeFortress’, who also manages coinchat.com and coinlenders.com, said he wouldn’t be reporting the theft to the police because it would be impossible to track the thief.
In the meantime, the administrator behind Inputs.io assured the hacked money is going to be refunded, according to RT. ‘TradeFortress’ said he would use 1,000 of his own Bitcoins, as well as the money the hackers didn’t steal: “users are being repaid up to 100 percent depending on the amount (sliding scale), generally 40-75 percent”.