Andreessen Horowitz-backed bitcoin wallet provider Coinbase confirmed via a company blog post on 7th February that “a small handful” of its customers have fallen victim to phishing attacks.
The reports of bitcoin wallet security vulnerabilities, however small, have nonetheless reverberated widely in an industry that is being increasingly cast in a shroud of uncertainty by the mainstream media.
A separate account of the incidents by online news source The Verge paints a very different picture of the situation, suggesting that the thefts, while in some cases the fault of Coinbase‘s users, were sizable and perhaps more frequent than has been reported.
The Verge confirmed what it called “a string of Bitcoin thefts that have hit the service in recent weeks”.
In its piece, it profiled the story of a Coinbase user named Jeff, who lost 10.6 BTC in bitcoins due to theft this December. What’s most unique about Jeff’s story, however, is that one month later, his refunded money was stolen from the service yet again.
The media outlet revealed that it has confirmed two separate thefts occurred to users on the service in addition to Jeff’s multiple thefts, for amounts of $16,000 and $5,000, respectively.
The sum total of the thefts, as noted by the piece, is roughly $40,000.
The extent of the attacks
The security firm FireEye told the Verge that it believes it is unlikely that Coinbase suffered a system-wide vulnerability, and that instead, each individual victim was compromised in isolation.
However, it suggested that Coinbase’s “unusually powerful” API may have been a factor:
“The right API key will let any program move bitcoins in and out of a given accounts. Once the key is compromised, attackers can even access linked bank accounts to purchase more bitcoins. Users are advised not to authorize the API key if they don’t need it, but if an account has been compromised, hackers may decide to authorize it themselves.”
FireEye did suggest that the company itself does not seem responsible for the attacks, which were not aimed at its infrastructure. Further, it suggested that Coinbase’s user agreement clearly states that individuals are responsible for the safety of their private keys.
By using the wallet provider’s two-factor authentication, the report suggested, Jeff could have prevented the loss of his API key, which once his account was compromised may have been reactivated by the hackers.
The San Francisco-based company downplayed the thefts, stating that “phishing is unfortunately common across the Internet”, and noting that it affects banking institutions, payment processors and retailers in the traditional financial system as well.
Further, the company indicated that, because of the concern over phishing attacks, it has implemented enhanced security measures, that when used with best practices for web surfing, can help limit these occurrences:
“We’ve implemented a number of increased security measures, including expanded two-factor authentication measures designed to help lessen the likelihood of successful phishing incidents in the future. We’ve also added an email verification step for key actions, such as when an API key is enabled.”
Coinbase representatives declined further requests for comment, stating that the blog post represented their official position on the attacks.
Image credit: Digital key via Shutterstock