Although Blockchain.info claims to never give your password to anyone including them it seems that a bit of backpedaling is happening about that policy.
Recently Blockchain.info reported a security issue that involved a “small part” of the user base seeing private keys being revealed and bitcoins being insecure. Another user on bitcointalk named johoe has reported that he has been sweeping the addresses that are no longer secure and sending the funds back to Blockchain.info.
Blockchain.info has made several statements that the issue was dealt with but as many are finding with browser caches that might not be the case and several people are still reporting issues and seeing private keys be compromised by the service. As the ongoing saga has continued the number of addresses that are compromised and the accounts that are compromised continue to climb.
Blockchain.info said that it would be reimbursing users who have compromised keys and seems to be making good on that promise but has run in to a slight snag now requiring users who are affected by this security flaw to send wallet information to the service including the password to the Blockchain.info account.
According to a reddit post made by the company’s official reddit account:
Blockchain never has access to your addresses or private keys.
It also means our support team has no optics into wallet balances or addresses.
As part of our process to reimburse users we have to ask for their input and review each wallet individually.
Here is how we’re doing it. First, we ask wallet owners to set up a completely new wallet then move any remaining funds into completely new addresses. Next, once the wallet with issues has an empty balance, we’re asking users for their original passwords so we can decrypt the wallets and confirm they were in custody of the weakly generated address at the time the funds were swept. Finally, upon confirmation they owned the address we’re reimbursing them to a new address provided by the end user.
We warn them very clearly to move the funds first and never use that wallet again.
We realize this is a stressful time for many and we’re working around the clock to wrap up the reimbursements. So far we’re processed hundreds and if you have questions or concerns drop us a case at blockchain.zendesk.com
Many have found the practice of asking for Blockchain.info information via plain-text over email to be unacceptable with reddit users commenting:
As the situation continues to develop it is serving as a reminder to many why using a web-based wallet is such a bad idea, especially one that does not implement RFC6979.
Those who do not wish to be affected by such a serious issue as this one are suggested to run a more secure solution that implements RFC6979 or consider running a wallet themselves. For those already affected by the security issue the company is asking users to send a ticket via: https://blockchain.zendesk.com/home
bitonbit just left a Bitcoin tip worth 0.25 USD (780 bits/$0.25).