
So, my Coinbase account was hacked, bitcoin stolen, now what? - whileonebegin
I check my email to find a message from Coinbase saying &quot;You just sent 0.136 BTC to 12aW81234567890abcdefg..&quot;. I never initiated such a transaction. Obviously, I started freaking out a little bit. I log into my Coinbase account (which I felt had a strong password btw), to find my balance near zero. Just great. Thank goodness I hadn&#x27;t linked a bank account in Coinbase yet, and that the stolen balance was less than $100, who knows what else may have been stolen. I filed a support ticket with Coinbase just hours after this occurred last night, but no response yet.<p>I&#x27;m distraught over this. A hacker can simply break into your account, steal your bitcoin by sending it off to his own account, and no one has to hold any type of accountability? Is there no way to trace, cancel, or reverse a transaction? Is there anything at all I can do?
======
RyanZAG
Hilarious. The reason for bitcoin is lack of regulation. You know that right?
You're using bitcoins and not dollars because it's not regulated and subject
to the same oversights and related fees.

So basically you want the government to have no ability to lock down funds or
regulate transfers, yet you also want the ability for the government to step
in and stop people who have stolen your bitcoins.

Can people really be this oblivious? If you have bitcoins, do not just put
them on random websites with zero auditing and expect them to be in any way
secure. If you don't know how to secure a computer, you need to stay far away
from bitcoins, they are not for you.

~~~
elwell
What do you mean "random websites"? It's Coinbase, the most reputable bitcoin
wallet that exists. (Though they have had a few troubles as of late.)

~~~
yid
Until you can verify Coinbase's internal security and practices, trust every
employee with access to your account info, and verify their honest intentions,
it's still pretty much a "random website". Until then, you're effectively
driving your Ferrari across the border into Tijuana and tossing the keys to a
random barkeep.

~~~
elwell
So... any bank website is also 'random'?

~~~
Sae5waip
No, bank websites are bank websites.

And bank websites are operated by banks.

And banks are regulated by governments.

------
tzz
How does this happen with two factor SMS verification? Did you enable your API
key?

What is the whole address and transaction id just to trace and see where it
went? There is no way to cancel the transaction.

[edit]

Here is the info[1] about the transaction. It _seems_ the transaction way
relayed by IP address 71.206.70.250, somewhere in Florida (Comcast customer).
It also seems the address[2] only holds your balance for now. You can call
Comcast and let them know.

[1][https://blockchain.info/tx/d3f6547f901b45b3c79315e78a1bbcc98...](https://blockchain.info/tx/d3f6547f901b45b3c79315e78a1bbcc988e27e6b98feab321f5628e2312b5377)

[2][https://blockchain.info/address/12aW8jPeEc9iQa5ocXCDReJ6Nij4...](https://blockchain.info/address/12aW8jPeEc9iQa5ocXCDReJ6Nij4c9xHtX)

~~~
whileonebegin
I didn't have two-factor enabled (it's enabled now though). API was disabled.
No malware installed.

Transferred to: 12aW8jPeEc9iQa5ocXCDReJ6Nij4c9xHtX

Transaction: d3f6547f901b45b3c79315e78a1bbcc988e27e6b98feab321f5628e2312b5377

I think this might be related to a recent Twitter account hack that happened a
month or so ago, where a fake tweet was posted on the account. I had used the
same email and pw on that account. Maybe they were scanning the stolen Twitter
accounts against Coinbase.

~~~
anu_gupta
> I had used the same email and pw on that account.

You used the same credentials for a social networking site as for your Bitcoin
account with Coinbase? And you didn't change them once your Twitter account
was hacked?

You should probably call it a relatively cheap lesson in not reusing
passwords.

------
chasing
> A hacker can simply break into your account, steal your bitcoin by sending
> it off to his own account, and no one has to hold any type of
> accountability?

I thought lack of regulation was one of the features of Bitcoin.

~~~
kordless
Why are you comparing Coinbase features with Bitcoin features?

~~~
Tehnix
Why wouldn't he? I don't know of any online _anything_ that refunds you from
their own pocket, so, that he can't get the transaction back (like some bank
account transactions can be, or, they can be traced to a person) is a feature
inherent to Bitcoin and not so much Coinbase.

EDIT: spelling correction.

~~~
kordless
> Why wouldn't he?

Because it's colluding topics. "break into your account" refers to a Coinbase
account. "lack of regulation" refers to the Bitcoin methods. Using both of
those in a sentence or quoting that sentence in another comment creates
implied blame.

The original comment could be assumed to say two different things: 1. If
Coinbase security was compromised, then Coinbase is accountable for the
transfer of Bitcoin from op's account. 2. If the op 'allowed' access to his
account through malware or unsecure API keys, then the op is accountable.

I believe the second assumption is what chasing was referring to. I should
have been clearer in my questioning.

Edit: Actually, I shouldn't have even asked the question. I should have said
what I said above instead of asking a leading question. My fault.

------
ForHackernews
> and no one has to hold any type of accountability? Is there no way to trace,
> cancel, or reverse a transaction? Is there anything at all I can do?

You can file a police report. If somebody stole your physical cash, what would
you do?

Bitcoin advocates claim this is a feature, not a bug. They say bitcoin should
be the digital equivalent of cash.

------
gexla
I don't know much about how Bitcoin works. But isn't one of the features of
Bitcoin that you can make transfers super cheap? Wouldn't it be best to keep
your Bitcoin "wallet" off any internet connected devices and then just make a
transfer to Coinbase only when you need to sell Bitcoin to transfer back to
your bank? I would think that it would be a bad idea to keep your Bitcoin
stored anywhere except in a space you fully control and could keep safe.
Though if you have malware on your computer which targets Bitcoin activity
then I'm not sure there is much you could do.

Personally, I would probably get something like a Raspberry Pi (if it's beefy
enough) with a Linux distro which runs straight from RAM just for Bitcoin
transactions. So, every time you boot up, it's a totally new installation. You
could make sure that your media that you are loading it from is ready only.
Then enter your Bitcoin info, do your transaction and shut off the computer.
Next time you boot it up, new installation again. With these distro's, you
don't actually have to install Linux every time, they just run from a read
only image typically. I use Puppy Linux.

This should do a lot to keep you safe from malware. Just using Linux makes you
a little less of a target. Using a fresh install every time you boot up
reduces your vulnerability window. I'm sure that if you are connected to the
internet, anything could happen. If you use this method, you would probably
need to be specifically targeted by someone who really knows what they are
doing. There are easier targets out there. ;)

~~~
glitch003
>Personally, I would probably get something like a Raspberry Pi (if it's beefy
enough) with a Linux distro which runs straight from RAM just for Bitcoin
transactions.

This is basically exactly what you're talking about:
[http://piperwallet.com](http://piperwallet.com)

------
danielpal
Authy founder here (we do Two-Factor Auth for Coinbase).

Looks like you didn't have Two-Factor enabled
[https://news.ycombinator.com/item?id=6947037](https://news.ycombinator.com/item?id=6947037)).
Enable it now. We've stopped lots of Coinbase account password compromises.
Most of the time we see that the e-mail was hacked.

Do the following:

1\. Enable Two-Factor Authentication on your e-mail.

2\. If you use GMail, go to Settings -> Forwarding POP/Imap. Check that no
"weird" addresses are added to your account.

3\. Change your E-mail password.

4\. Change your Coinbase password.

If you have Two-Factor enabled we can also temporarily block your account if
you suspect a hacker is trying to get into it. Contact us at support@authy.com
and we'll block it.

~~~
vijayboyapati
I highly recommend the above advice. 2-factor auth is a simple step that
hugely increases security. You must have it on your email at minimum - since
having access to your email typically gives you access to many accounts
connected to your email - and probably most of your financial accounts.

I might also encourage Coinbase to limit the maximum dollar value of transfer
from an account to, say, $100 per day until someone enables two-factor auth.
Typically people have very poor security habits, and strongly encouraging them
to improve them will help both users and Coinbase's reputation.

------
bdcravens
_A hacker can simply break into your account, steal your bitcoin by sending it
off to his own account, and no one has to hold any type of accountability? Is
there no way to trace, cancel, or reverse a transaction?_

It would seem that you understand Bitcoin very well.

A review of all of the hacks/breakins/inside jobs since 2011 would have told
you this already. You DID research its history, rather than jumping in blind,
right?

~~~
aragot
All the theory about currencies and macro- and microeconomy and libertarianism
are available in books. But people really like to learn the hard way.

There are a few rules about trustworthiness in economy. Our whole economic
system is held together because one rogue actor would be rejected by all its
partners if it failed a transaction, and the person wouldn't be able to create
a new company if they acted unfairly. This peer-to-peer network is also backed
by trade unions, then banks, then governments who vouch for each other.

By trusting Coinbase, a single actor in a very small economy, you have very
little leverage, except talking about your mistake on HN and trying to get the
consumer's snowball effect. It is not backed by its trade union, nor by its
banks, insurances or government.

Don't forget that Bitcoin is a token game which is parallel to your national
currency, and allows bypassing taxes. Bitcoins should get what they deserve:
As a subversive currency allowing to bypass taxes, it should be fought by
governments. Receiving money for a Blizzard account is just as illegal.
Because it's a parallel economy which prevents taxes from being duly
collected.

I'm not to say that I'm on the governments side, nor on the Bitcoin side. I'm
saying they are competing and proponents of one side should be rejected by the
other side.

Givn this background, you losing 0.12 BTC is a very mild outcome.

------
t0
They have two factor SMS verification available for every login attempt. But
you may just have malware on your computer if you had a really strong
password.

~~~
Maxious
Sounds like there's some pretty nifty malware out there recently
[http://www.reddit.com/r/Bitcoin/comments/1sxcyr/coinbase_acc...](http://www.reddit.com/r/Bitcoin/comments/1sxcyr/coinbase_account_was_hacked/)
[https://bitcointalk.org/index.php?topic=355045.0](https://bitcointalk.org/index.php?topic=355045.0)

Perhaps something to do with the API (which is disabled by default but some
victims have noticed was enabled)
[https://coinbase.com/docs/api/authentication](https://coinbase.com/docs/api/authentication)
"If someone obtains your api_key or an access_token with the send or all
permission, they will be able to send all the bitcoin out of your account."

(edit: followed the transaction trail on one of those links, ended up with
week old address that had received 49,497BTC
[https://blockchain.info/address/1Facb8QnikfPUoo8WVFnyai3e1Hc...](https://blockchain.info/address/1Facb8QnikfPUoo8WVFnyai3e1Hcov9y8T))

------
v64
This is a reason why I never leave my BTC in Coinbase. As soon as my purchase
goes through, I transfer the BTC to a paper wallet[1] or digital wallet that I
control.

[1]
[https://en.bitcoin.it/wiki/Paper_wallet](https://en.bitcoin.it/wiki/Paper_wallet)

~~~
Aqueous
Well, in my view CoinBase with two factor auth is as or more secure than
leaving it on my physical computer. If this person had enabled two factor auth
this wouldn't have happened.

I was under the impression that 2 factor auth on CoinBase wasn't optional, but
I guess not.

CoinBase should also be failbanning any computer trying to brute force the
same account with more than one password.

~~~
v64
Because you can withdraw your coins from Coinbase, that means Coinbase has a
copy of the private key associated with the BTC address that your BTC resides
in. Two factor auth is not going to prevent a rogue attacker or employee from
taking these keys.

By immediately transferring the BTC to a paper wallet address generated on a
secure, offline computer, it is simply impossible to withdraw the BTC without
possession of the information on that physical piece of paper. This is far
more secure than any digital or two factor auth.

Edit: I notice that Coinbase does store the vast majority of their BTC in
paper wallets[1]. The problem is, Coinbase still has a copy of the private
keys associated with your BTC address. While this may hinder the efforts of
outside attackers, there still exists a vulnerability with those employees who
have access to the systems that move BTC from cold to warm storage. That's why
your BTC should always reside in an address you generated yourself and solely
possess the private key to.

[1] [http://blog.coinbase.com/post/33197656699/coinbase-now-
stori...](http://blog.coinbase.com/post/33197656699/coinbase-now-
storing-87-of-customer-funds-offline)

~~~
Aqueous
I mean, I've given them the ability to withdraw money from my bank account so
merely trading on CoinBase requires me to believe they won't do that or
anything like that. The fact of the matter is that I don't trust CoinBase, but
I know that our interests are somewhat aligned. If they damage their
reputation by stealing my BitCoins or my cash they lose money because people
don't trust them any more. They are backed by people I consider to be
reputable and if CoinBase does something shady all of their reputations will
suffer.

------
kordless
If you turned on your API key Coinbase and someone obtains that key, they can
transfer coin on your behalf. From a productive paranoia perspective, I think
this is a REALLY BAD IDEA for exactly the reasons posted here. People will use
that key to 'try out' coinbase, and then end up forgetting to check their code
and upload it to Github or Pastebin and then WHAM, you've got two problems:
your Bitcoin is gone and Coinbase now has a marketing problem of potentially
epic proportions.

The guys at Coinbase need to turn OFF the API key feature as soon as possible.
It has the potential of hurting the entire ecosystem.

Edit: One suggestion to Coinbase would be to change the API key feature to
only allow the API methods which don't result in sending payments. This allows
quick use of their APIs in doing architectural design and ensures protection
against key leakage. A second suggestion is to queue up outgoing transactions
initiated by the API key into batches and use alerts (like through Pagerduty
or similar) to notify the account owner transactions are pending and need
approval.

~~~
trbs
I disagree. They shouldn't turn off the API access for payments because some
people might use it incorrectly. Let's be honest, it takes a special kind of
stupid to upload secret keys of any kind to their repos. And if they do, well,
they deserve whatever happens to them.

------
badman_ting
I thought the point of Btc is that there is no "now what".

------
bound008
I use the Google Authenticator style of 2-factor auth with Coinbase using the
Authy app.

~~~
malenm
Seriously - if you're not using 2FA then you're just looking for trouble.

------
mschuster91
@pg: can you please ban off all those Coinbase support threads? It's getting
ridiculous, we're not Coinbase customer support here.

------
josu
Did you have the two factor verification activated?

------
nkohari
There is limited ability to trace transfers by examining the blockchain, but
there is no way to cancel or reverse a Bitcoin transaction. Most online wallet
services, including Coinbase, offer no explicit insurance against unauthorized
transfers.

Welcome to the brave new world!

------
Tehnix
Same happened to me on MtGox (to make it clear, not their fault, was my own
carelessness). Was more than likely related to reuse of password and a hack on
another site that used the same acc/pass combination.

There is nothing one can do. MtGox can't protect users from getting their
account hacked when it's nothing they've done. I filed a police report, but
there's not much the police can do in the case of btc...

One learns from ones mistakes, so, now; stopped reusing passwords, and added
two-way auth for important/sensitive things, alas, a bit too late (got 9 btc
stolen ;_; although at the time, they were only worth ~100$/btc).

------
justincormack
For less than $100, there is nothing you can do except learn from this. There
would probably not be anything you could do if it was a few orders of
magnitude larger either, so you are lucky.

Hacking is pervasive, but anonymous currencies are providing a more
interesting target than sending spam or renting botnets. Generally, security
is very poor everywhere but most people don't really notice. This is going to
have to change at some point as more of our lives go online.

------
wtvanhest
I've been on the sidelines for BitCoin for the past few years, but it appears
to me that it is gaining adoption at least at the early adopter stage and has
an insanely long way to go but is becoming increasingly interesting.

I'm researching BitCoin to try to have a really in depth understanding of it.
What is the best, even if complex, paper/blog/website on how to properly
secure bitcoins?

~~~
Tehnix
You can take a look at
[https://en.bitcoin.it/wiki/Securing_your_wallet](https://en.bitcoin.it/wiki/Securing_your_wallet)
and maybe less directly relevant, but still good information is
[https://en.bitcoin.it/wiki/Weaknesses](https://en.bitcoin.it/wiki/Weaknesses)
.

Personally, I keep my btc wallet.dat file in a AES encrypted diskimage
(sparsebundle on OS X) in my Dropbox, and then symlink that file to the place
where it needs to be on the computer. My wallet is always backed up, and
secure enough (you need either physical access to my computer and get the
password right, or, access to my dropbox account and, again, the password for
the wallet diskimage).

Quite content with my setup, I just mount the diskimage before I open my
Wallet application...

~~~
wtvanhest
Thanks!

------
calciphus
"I buried my gold in the forest because I didn't want the government to get
their grubby mitts on it. I came back later, after only telling a few folks
where it was, and I'm upset to see it gone. Can the government help me?"

------
sneak
There are many ways of tracing transactions. There are no ways of canceling or
reversing them.

You trusted your valuables to a third party and were careless with your own
access credentials to communicate with that third party. Your fault, your
consequences.

------
collyw
I see this sort of story being the downfall of bitcoin. Once a few of these
things happen, trust will be lost in it and the bubble will deflate.

(Out of interest, did you "make money" from bitcoin, when it was going up)

~~~
whileonebegin
I agree, and that's why bitcoin needs accountability. If not bitcoin, then
Coinbase. PayPal is a good example of this. For all of the flak they receive,
you can trust them to honor reports of unauthorized transactions and feel
(mostly) confident making purchases.

I'm very cautious now about considering bitcoin any further. I'm certainly
glad I never linked a bank account to Coinbase.

------
bhousel
Call the police.

------
bkmrkr
Did you have a mac / windows computer?

Do you have any antivirus software installed?

~~~
bdcravens
It most likely had nothing to do with his computer. I could buy a new
computer, use it only to consummate a transaction on Coinbase, and destroy it,
and I've done little to minimize my risk.

------
hillybilly
use 2 factor authentication next time, lesson learned. how about you give us
the full bitcoin address where the bitcoin being transfered to.

