

2+ coinbase accounts hacked, 20k+ stolen, coinbase offers no help - Psyonic

Cross-post from reddit, but worth posting here.<p>Reddit link: http:&#x2F;&#x2F;redd.it&#x2F;1uk37k<p>tuttle123&#x27;s hack story: http:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;CoinBase&#x2F;comments&#x2F;1uk37k&#x2F;coinbase_account_was_hacked_16000_stolen_3_weeks&#x2F;cejcq8p<p>Woke up December 15th, check my email and to my horror see &quot;You just sent X BTC...&quot; and &quot;The X BTC you just purchased...&quot; emails in my account. In the span of 3 minutes, the hacker sent the 10BTC I had in my account out, then made instant purchases and transactions of 5 BTC, 3 BTC, and 2 BTC.<p>Blockchain transactions:<p>~10 BTC: https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;12VvMbLGRAiBYK8fxqNNKEFA3xdapaFhJR<p>5, 3, and 2 BTC here:
https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;1PQRoB6sK5MMDQ1WTd4awxsok24gMVSERA<p>I report this to coinbase through their ticket system. 24 hours later, they sent me some questions. I&#x27;ll summarize my responses:
1. I had a complex single-use account password.
2. Was not using API, though did have iphone mobile app.
3. Used 2FA with Authy, which never left my side.<p>I heard nothing from CoinBase for 3 weeks.<p>A few days ago I received this response:<p>&quot;I&#x27;m very sorry to hear this. It appears that an attacker was able to access your account by using your API access key. While disabled by default, it&#x27;s imperative that this information be stored securely once enabled. If someone obtains this number they would be able to send all of the bitcoin out of your account.&quot;<p>To reiterate, I didn&#x27;t enable API access beyond their own mobile app.
Apparently I&#x27;m out of luck. I don&#x27;t believe I was particularly negligent here, and their lack of any help (even info, etc) is very frustrating.<p>I&#x27;m happy to answer any questions, here or elsewhere.
Advice or recommendations definitely appreciated.
======
argonaut
[https://news.ycombinator.com/item?id=5428757](https://news.ycombinator.com/item?id=5428757)

> HN is a news site, not a customer support forum for companies funded by YC,
> and in fact the site guidelines explicitly ask that it not be used that way:

~~~
Psyonic
I respect that, but unfortunately it seems like the only way to get a
response.

~~~
argonaut
Well, it's pretty obvious you don't respect that.

~~~
Psyonic
Is it? I tried to work with them for nearly a month directly, but they don't
respond to any of my emails. I've seen people post here and get responses. You
wouldn't even consider posting if you thought it would help?

~~~
argonaut
You're changing the subject. I have no comment on Coinbase or on what I would
do in your shoes.

I am commenting on the rules of HN.

------
Nanzikambe
They did offer help, they told him the IP used by whomever initiated the
transfer, he's crying over the fact they didn't give him back his BTC.

Given the information provided I'd say it's highly likely his mobile device
was the attack surface used. I don't use Coinbase, but a glance at their API
docs makes it appear that the API key alone isn't sufficient to initiate a
transfer since authentication is required.

If that's the case, this is analagous demanding a refund from your bank when
your account was emptied because you lost your wallet, ATM card and a postit
note with the PIN # written on it.

nbs

~~~
Psyonic
Actually, they didn't tell me the IP address. That X was in the original
email.

Also, my phone has a password on it, and the coinbase app and my Authy app
both had passwords on them.

So actually, your scenario isn't analagous at all. But thanks for
automatically assuming I'm to blame!

You honestly think it's entirely reasonable that someone was able to get past
2FA, take all my coins (+ purchase more) with no security check, and then to
have CB give me nothing but radio silence for 3 weeks? Literally not a single
word? And then finally tell me "That sucks."?

~~~
Nanzikambe
> Also, my phone has a password on it, and the coinbase app and my Authy app
> both had passwords on them.

What difference does that make to malware/trojans? Presumably they already
have those.

To elaborate:

Trojan on phone catches passwords, phones home & hands them over to the
malicious user. Malicious user initiates BTC transfer, uses trojan's remote
command and control to bypass 2FA. Job done.

From that perspective, whilst CB could see that a person from a given IP
accessed and transferred from your account, what do you expect them to do?
Come round to your house and forensically dissect your phone and PC to see
what went wrong? Even if they did, to what end? It's not their problem, it's
yours.

If you want reaction, go report the crime. If you think Coinbase should refund
your BTC, take them to court. Heck, do both. The chances of getting your BTC
back are slim to none in any case.

~~~
Psyonic
Dude, what are you talking about?

This is an iPhone (non-jailbroken.) Are you saying the official CoinBase app
had a trojan? Or Authy, the most widely used 2FA app?

If you're actually curious what I think they should do, we could talk about
it, but I don't think you care beyond blaming the victim.

What I don't understand is why you assume I MUST have done something wrong. Do
you really think it's impossible that this was a weakness on their end?

If 110 million credit cards can be stolen from Target, maybe it's possible API
keys can be stolen from CoinBase?

------
zaroth
Welcome to Bitcoin, where giving up your private keys is synonymous with
donating your Bitcoin to the thief who will eventually, inevitably, rob you.

Feel free to sue Coinbase for stealing your money, although it will
understandably be hard to prove.

Your best bet is to monitor the Blockchain and hope the coins hit another
third party service, you can try to order them to seize the coins.

More than likely they will get mixed beyond recognition before that point, but
it's not without precedent (see StrongCoin)

~~~
Psyonic
Ya that's the biggest issue for me. They have all the evidence. They haven't
even given me the IP used to make the transactions.

------
electic
Banks do this all the time. They notice fraudulent transactions, call you, or
block the transaction outright till they can investigate. The fact that this
happened, no one called, no one checked, reduces the faith in the service.

~~~
Psyonic
Not to mention that after it happened, they won't even so much as respond to
my emails.

------
Psyonic
UPDATE: CoinBase eventually concluded that my API key may have been exposed
due to a security flaw that they've since patched. They decided to refund me,
and my coins have been returned. Thanks CoinBase!

------
byoung2
Does API access need to be enabled in order to use the iPhone app? I have API
access disabled on my account, and I use the Android app.

~~~
OafTobark
I have the iPhone app and under my account when I log in via the web, it says
API is disabled. I don't recall it requesting to be enabled for access when I
set it up originally before the app was pulled.

~~~
byoung2
It could be that the app uses the api key (despite it being disabled), and
somehow someone was able to steal it. I hope it isn't sent in plain text.

~~~
Psyonic
I can't speak to their architecture, but the mobile app must be using some
kind of API.

------
outragemachine
If crypto-currencies are ever to be widely adopted the institutions involved
must be held accountable for these kind of liabilities.

------
cabbeer
There has been a consistent stream of negative coinbase stories, why do people
still trust them with their money?

