This morning Coin Fire is learning of a major and massive security breach that happened on GAW Miner’s Paybase product.
The breach is just another stumble in a long list of issues this past week with GAW Miners after Amazon spokespeople told Coin Fire they were not working with the company to implement Paycoin shopping.
Late last night Paybase was rolled out with much fanfare from Josh Garza and the supporters of the new alt coin PayCoin. A few short hours after rolling out the site a massive security breach was found by users of Bitcoin Talk that would allow users not logged in to visit a URL and essentially be logged in as another valid and registered user of the site.
Users accessing the site via this URL were able to obtain account information about users of Paybase including the current balance, email address and other profile information. While the security breach does not seem to have let those visiting the URL the ability to withdraw funds it did give the attackers the ability to secure large troves of data about Paybase users.
Coin Fire was provided information detailing the breach and was able to confirm independently that the user information being provided was in fact real. After having spoken with several account holders from the list about the accounts they own on Paybase Coin Fire was able to confirm that information was being leaked.
Several users took to the Hashtalk forums to report the security breach but all posts about it were immediately deleted and the problem persisted for over eight hours before the site was taken offline. The company claimed publicly the downtime was due to issues with CloudFlare but upon the site coming back online the security flaw had seemed to be closed.
Having taken more than eight hours to respond to the security issue could result in a massive security issue for those who have trusted Paybase. While account balances seem to be secure hackers have been able to get exact account balances, email addresses and other relevant information that could theoretically be used for blackmail or extortion purposes.
The Paybase homepage now boasts,
The funds you deposit into your wallet are protected by the same protection used by the CIA and all major banks.
It would seem that the security hole has now been closed but many doubts about the service’s security now stay after the long period it remained opened.