In what appears to be an extension of security issues resulting from a previous breach in May, Bitcoinica—a Bitcoin Forex housing a lot of funds—had their MtGox account compromised and over ฿40,000 BTC were stolen along with a loss of almost $40,000 USD totaling about $350k USD. The initial breach, on May 11 of this year, saw almost ฿18,547 BTC lost when a server compromise gave hackers access to their liquid market trading wallet.
It hasn’t been a pretty year for Bitcoinica as even before the May hack that opened up their wallet, Bitcoinica also lost some BTC during a Linode hack in March that affected a lot of Bitcoin sites (including the Bitcoin Faucet) causing the loss of ฿43,554 BTC for Bitcoinica.
That brings the tally to date (just this year) up to approximately ฿170,554 BTC lost by this one forex alone.
The explanation of the heist, which was posted to Bitcointalk.org on Friday the 13th, includes some salient details of how the hack progressed:
We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.
Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.
LastPass contains all your passwords. The username was firstname.lastname@example.org. After the initial compromise, the sourcecode would have been tainted. But the password for LastPass was not changed.
The operators of Bitcoinica probably did not think to change it because they may have assumed that the LastPass password was not the same password as the MtGox API key. Such a flaw is a huge security breach. The original hacker could have compromised the funds on May 11th or any day thereafter.
From the looks of it, Bitcoinica suffered from poor crisis management in the wake of the initial hack from May that led to the recent compromise.
Handling a hacking event is more than just patching the hole, it’s also about changing the locks, re-issuing credentials to everyone affected, and then vetting the system again from a bottom-up study of who has access and why. From what we’ve seen in the Bitcoin service ecology is that many of the sites that have sprouted up to take advantage of the ecology have done so without much attention to the consequences of trading in extremely valuable digital commodities and as a result we keep seeing events such as this.
In spite of volatility in the market and apparent huge digital bank heists happening almost like clockwork, Bitcoin is showing itself to be an extremely valuable commodity. That hackers keep returning to sites to make attempts to steal large numbers of coins shows that they expect that there’s money to be made—but that means vaults will have to secure themselves.
I’ve mentioned before that it’s time that we see a Bitcoin forex or trading service arise that puts security first. It would become a massive selling point in the current climate.