Bitcoin to Amazon P2P service provider Purse.io (PurseIO, Inc.) has denied that a compromise over the weekend resulted in the theft of Bitcoin despite multiple users claiming to have had Bitcoin stolen from their accounts.

Details of the theft first emerged on Reddit where users reported having unauthorized withdrawals from their Purse.io wallets, although fortunately most users only reported having small amounts of Bitcoin stolen with one exception where a user claims to have had 36 BTC ($8,967) stolen.

All affected users reported that the same thing occurred: a password reset request was received followed quickly by the unauthorized withdrawal of funds from their accounts.

Disturbingly at least one user who claims to have had Bitcoin stolen was using two-factor authentication (2FA) which is theory should have prevented the coins being stolen without a second step to verify the withdrawal of the BTC from the Purse.io wallet.

Shortly after reports emerged Purse.io went offline for some 5 hours Sunday with a message saying that the site was undergoing maintenance.

Despite claims of theft by users the company subsequently denied funds had been stolen, while still admitting that there had been a breach of security.

“Current information leads us to believe that one of our third-party email service providers was compromised causing unauthorized password resets for some users,” the company wrote in a blog post. “We discovered this quickly, secured funds, and reset tokens for affected users. All funds are secure, and service has been resumed.”

Despite claims to the contrary, Purse.io went on to claim that users with two-factor authentication (2FA) were not affected, and that they suggested that “all users activate 2FA, and we’re looking into making it mandatory.”

Mixed messages

Purse.io’s response has delivered mixed messages at best; the company has admitted that they were compromised but have failed to accept that members have had Bitcoin stolen during the time the compromise occurred.

User Justin_Guy dug further and found that over 30 Bitcoins may have been stolen during the period:

On a reddit comment[4] I got this address from the withdrawal email: 1GsFvMK9PKNYzHFPzT5D4B3SfZ6HN5uamY. The withdrawal did go through to that address. Purse.io uses P2SH addresses (assuming multisig) that sends the change to a new P2SH address after each withdrawal. If you click through that chain you can track over 30 bitcoins that were withdrawn today. With some deeper digging and more unauthorized withdrawal addresses you could account for more.

If Purse.io is claiming that all funds are safe I call that bluff. I wonder how many bitcoins were stolen and if they will be able to cover the loss.

It’s difficult to say the best way a company should respond to a breach and theft of funds that has clearly occurred here, but fence sitting and not addressing the stolen funds does nothing to help Purse.io and instead creates distrust among its user base and the broader community.

We’ll update the post if we hear more.

Image credit: pirhan/Flickr/CC by 2.0