Bitcoin lending startup Loanbase, Inc. is claiming to have been hacked, although fortunately for customers and the company alike the amount stolen was not huge.
Loanbase advised customers of the hack via email and its Facebook page on Sunday, explaining they had first detected unauthorized access early in the morning of Saturday, February 6.
The company says the hack came via a hole in a WordPress blog, and gave the hackers access to their SQL database, meaning that sensitive user information may have been accessed including e-mail addresses, phone numbers, names, and other sensitive information.
It’s not clear at this point what occurred next as Loanbase doesn’t describe what happened, but presumably, somehow the hackers used the data from the database to access Bitcoin wallets held by customers.
Loanbase says it believes the loss is “roughly” around 8 Bitcoins ($2,976) but could be as high as 20 Bitcoins ($7440), and all affected customers will be fully reimbursed the amount stolen.
Ticks and crosses
It must be said first and foremost that Loanbase should be praised for its full transparency in disclosing the hack, how it occurred, and more importantly what they are doing about it, which at the time includes taking their website down, resetting passwords, rejecting any withdrawals that have been approved but not processed, and implementing additional security procedures; many other companies can learn a lesson here.
The hack though does raise serious questions about how Loanbase has its Bitcoin wallets setup to begin with.
Let’s just presume that the hackers gained access to the wallets via access to a WordPress database: what information was in a WordPress database to begin with, and is WordPress the right platform to be using to run a financial services business?
Secondly, and most important, two-factor authentication (2fa) would have immediately limited access to stored Bitcoin, so it can only be presumed that it wasn’t in place for these customers; there is some suggestion that customers are given a choice of using 2fa or not with Loanbase but best practice in 2016 is to not give customers a choice as to whether they want to use 2fa or not, and to make it compulsory to avoid exactly what has happened here.
If you’re a customer affected by the Loanbase hack, you can follow the latest updates on what the company is doing on its Facebook page here.