Hacker News new | comments | show | ask | jobs | submit login
So, my Coinbase account was hacked, bitcoin stolen, now what?
41 points by whileonebegin on Dec 21, 2013 | hide | past | web | favorite | 56 comments
I check my email to find a message from Coinbase saying "You just sent 0.136 BTC to 12aW81234567890abcdefg..". I never initiated such a transaction. Obviously, I started freaking out a little bit. I log into my Coinbase account (which I felt had a strong password btw), to find my balance near zero. Just great. Thank goodness I hadn't linked a bank account in Coinbase yet, and that the stolen balance was less than $100, who knows what else may have been stolen. I filed a support ticket with Coinbase just hours after this occurred last night, but no response yet.

I'm distraught over this. A hacker can simply break into your account, steal your bitcoin by sending it off to his own account, and no one has to hold any type of accountability? Is there no way to trace, cancel, or reverse a transaction? Is there anything at all I can do?

Hilarious. The reason for bitcoin is lack of regulation. You know that right? You're using bitcoins and not dollars because it's not regulated and subject to the same oversights and related fees.

So basically you want the government to have no ability to lock down funds or regulate transfers, yet you also want the ability for the government to step in and stop people who have stolen your bitcoins.

Can people really be this oblivious? If you have bitcoins, do not just put them on random websites with zero auditing and expect them to be in any way secure. If you don't know how to secure a computer, you need to stay far away from bitcoins, they are not for you.

I think he's more interested if the police can do something, since the trail can be somewhat followed, and, you can often see an ip of the transaction requester. They more than likely can't do anything in these cases though, since that's something one can easily tamper with and it's quite unreliable (the IP thing).

Also, if there is anything Coinbase does, or, if one there is any laws regarding such things that might help him.

Agreed on the part about he should take more care with security though, two-way auth etc etc.

And here's what would happen:

1. As far as the police are concerned, someone stealing your bitcoin is like someone on an internet forum stealing your avatar / profile picture.

2. Bitcoin have no intrinsic value -- Welcome to the land of non-fiat "currency".

3. Someone taking your BTC simply doesn't register as a crime for them.

What do you mean "random websites"? It's Coinbase, the most reputable bitcoin wallet that exists. (Though they have had a few troubles as of late.)

Until you can verify Coinbase's internal security and practices, trust every employee with access to your account info, and verify their honest intentions, it's still pretty much a "random website". Until then, you're effectively driving your Ferrari across the border into Tijuana and tossing the keys to a random barkeep.

So... any bank website is also 'random'?

No, bank websites are bank websites.

And bank websites are operated by banks.

And banks are regulated by governments.

I would downvote this comment for trolling if I had the permission.

When comparing to established financial institutions and systems, I think it's fair to refer to even the most reputable BitCoin service provider as a 'random website'. That's the point that's being made.

Yes, please get back to us when you have verifiable proof of their security. This is Bitcoin we're talking about. It doesn't matter how "reputable" they appear to be.

You can still have an open and secure currency that's protected by the law. It would follow a minarchist philosophy that protects two parties from breach of contract.

Downthread, the poster states that he used the same email and password as for his Twitter account, which was recently hacked...

How does this happen with two factor SMS verification? Did you enable your API key?

What is the whole address and transaction id just to trace and see where it went? There is no way to cancel the transaction.


Here is the info[1] about the transaction. It seems the transaction way relayed by IP address, somewhere in Florida (Comcast customer). It also seems the address[2] only holds your balance for now. You can call Comcast and let them know.



I didn't have two-factor enabled (it's enabled now though). API was disabled. No malware installed.

Transferred to: 12aW8jPeEc9iQa5ocXCDReJ6Nij4c9xHtX

Transaction: d3f6547f901b45b3c79315e78a1bbcc988e27e6b98feab321f5628e2312b5377

I think this might be related to a recent Twitter account hack that happened a month or so ago, where a fake tweet was posted on the account. I had used the same email and pw on that account. Maybe they were scanning the stolen Twitter accounts against Coinbase.

> I had used the same email and pw on that account.

You used the same credentials for a social networking site as for your Bitcoin account with Coinbase? And you didn't change them once your Twitter account was hacked?

You should probably call it a relatively cheap lesson in not reusing passwords.

> A hacker can simply break into your account, steal your bitcoin by sending it off to his own account, and no one has to hold any type of accountability?

I thought lack of regulation was one of the features of Bitcoin.

Why are you comparing Coinbase features with Bitcoin features?

Why wouldn't he? I don't know of any online anything that refunds you from their own pocket, so, that he can't get the transaction back (like some bank account transactions can be, or, they can be traced to a person) is a feature inherent to Bitcoin and not so much Coinbase.

EDIT: spelling correction.

> Why wouldn't he?

Because it's colluding topics. "break into your account" refers to a Coinbase account. "lack of regulation" refers to the Bitcoin methods. Using both of those in a sentence or quoting that sentence in another comment creates implied blame.

The original comment could be assumed to say two different things: 1. If Coinbase security was compromised, then Coinbase is accountable for the transfer of Bitcoin from op's account. 2. If the op 'allowed' access to his account through malware or unsecure API keys, then the op is accountable.

I believe the second assumption is what chasing was referring to. I should have been clearer in my questioning.

Edit: Actually, I shouldn't have even asked the question. I should have said what I said above instead of asking a leading question. My fault.

Well, for example: My understanding is that if you bank with dollars (in the US), the FDIC insures your deposit up to a certain amount. A feature of the currency is also a feature of the bank holding that currency. It's hard to pull the two completely apart.

The purpose of FDIC insurance is to protect against bank runs due to the nature of the fractional reserve banking system (not a problem with Bitcoin, at least not yet), not to protect against hackers.

Now, whether Bitcoin services need stricter regulation in terms of security is another question. I don't think Coinbase goes far enough with their security yet (2FA on withdrawals seems like a no-brainer)

> and no one has to hold any type of accountability? Is there no way to trace, cancel, or reverse a transaction? Is there anything at all I can do?

You can file a police report. If somebody stole your physical cash, what would you do?

Bitcoin advocates claim this is a feature, not a bug. They say bitcoin should be the digital equivalent of cash.

I don't know much about how Bitcoin works. But isn't one of the features of Bitcoin that you can make transfers super cheap? Wouldn't it be best to keep your Bitcoin "wallet" off any internet connected devices and then just make a transfer to Coinbase only when you need to sell Bitcoin to transfer back to your bank? I would think that it would be a bad idea to keep your Bitcoin stored anywhere except in a space you fully control and could keep safe. Though if you have malware on your computer which targets Bitcoin activity then I'm not sure there is much you could do.

Personally, I would probably get something like a Raspberry Pi (if it's beefy enough) with a Linux distro which runs straight from RAM just for Bitcoin transactions. So, every time you boot up, it's a totally new installation. You could make sure that your media that you are loading it from is ready only. Then enter your Bitcoin info, do your transaction and shut off the computer. Next time you boot it up, new installation again. With these distro's, you don't actually have to install Linux every time, they just run from a read only image typically. I use Puppy Linux.

This should do a lot to keep you safe from malware. Just using Linux makes you a little less of a target. Using a fresh install every time you boot up reduces your vulnerability window. I'm sure that if you are connected to the internet, anything could happen. If you use this method, you would probably need to be specifically targeted by someone who really knows what they are doing. There are easier targets out there. ;)

>Personally, I would probably get something like a Raspberry Pi (if it's beefy enough) with a Linux distro which runs straight from RAM just for Bitcoin transactions.

This is basically exactly what you're talking about: http://piperwallet.com

Authy founder here (we do Two-Factor Auth for Coinbase).

Looks like you didn't have Two-Factor enabled https://news.ycombinator.com/item?id=6947037). Enable it now. We've stopped lots of Coinbase account password compromises. Most of the time we see that the e-mail was hacked.

Do the following:

1. Enable Two-Factor Authentication on your e-mail.

2. If you use GMail, go to Settings -> Forwarding POP/Imap. Check that no "weird" addresses are added to your account.

3. Change your E-mail password.

4. Change your Coinbase password.

If you have Two-Factor enabled we can also temporarily block your account if you suspect a hacker is trying to get into it. Contact us at support@authy.com and we'll block it.

I highly recommend the above advice. 2-factor auth is a simple step that hugely increases security. You must have it on your email at minimum - since having access to your email typically gives you access to many accounts connected to your email - and probably most of your financial accounts.

I might also encourage Coinbase to limit the maximum dollar value of transfer from an account to, say, $100 per day until someone enables two-factor auth. Typically people have very poor security habits, and strongly encouraging them to improve them will help both users and Coinbase's reputation.

A hacker can simply break into your account, steal your bitcoin by sending it off to his own account, and no one has to hold any type of accountability? Is there no way to trace, cancel, or reverse a transaction?

It would seem that you understand Bitcoin very well.

A review of all of the hacks/breakins/inside jobs since 2011 would have told you this already. You DID research its history, rather than jumping in blind, right?

All the theory about currencies and macro- and microeconomy and libertarianism are available in books. But people really like to learn the hard way.

There are a few rules about trustworthiness in economy. Our whole economic system is held together because one rogue actor would be rejected by all its partners if it failed a transaction, and the person wouldn't be able to create a new company if they acted unfairly. This peer-to-peer network is also backed by trade unions, then banks, then governments who vouch for each other.

By trusting Coinbase, a single actor in a very small economy, you have very little leverage, except talking about your mistake on HN and trying to get the consumer's snowball effect. It is not backed by its trade union, nor by its banks, insurances or government.

Don't forget that Bitcoin is a token game which is parallel to your national currency, and allows bypassing taxes. Bitcoins should get what they deserve: As a subversive currency allowing to bypass taxes, it should be fought by governments. Receiving money for a Blizzard account is just as illegal. Because it's a parallel economy which prevents taxes from being duly collected.

I'm not to say that I'm on the governments side, nor on the Bitcoin side. I'm saying they are competing and proponents of one side should be rejected by the other side.

Givn this background, you losing 0.12 BTC is a very mild outcome.

They have two factor SMS verification available for every login attempt. But you may just have malware on your computer if you had a really strong password.

Sounds like there's some pretty nifty malware out there recently http://www.reddit.com/r/Bitcoin/comments/1sxcyr/coinbase_acc... https://bitcointalk.org/index.php?topic=355045.0

Perhaps something to do with the API (which is disabled by default but some victims have noticed was enabled) https://coinbase.com/docs/api/authentication "If someone obtains your api_key or an access_token with the send or all permission, they will be able to send all the bitcoin out of your account."

(edit: followed the transaction trail on one of those links, ended up with week old address that had received 49,497BTC https://blockchain.info/address/1Facb8QnikfPUoo8WVFnyai3e1Hc...)

This is a reason why I never leave my BTC in Coinbase. As soon as my purchase goes through, I transfer the BTC to a paper wallet[1] or digital wallet that I control.

[1] https://en.bitcoin.it/wiki/Paper_wallet

Well, in my view CoinBase with two factor auth is as or more secure than leaving it on my physical computer. If this person had enabled two factor auth this wouldn't have happened.

I was under the impression that 2 factor auth on CoinBase wasn't optional, but I guess not.

CoinBase should also be failbanning any computer trying to brute force the same account with more than one password.

Because you can withdraw your coins from Coinbase, that means Coinbase has a copy of the private key associated with the BTC address that your BTC resides in. Two factor auth is not going to prevent a rogue attacker or employee from taking these keys.

By immediately transferring the BTC to a paper wallet address generated on a secure, offline computer, it is simply impossible to withdraw the BTC without possession of the information on that physical piece of paper. This is far more secure than any digital or two factor auth.

Edit: I notice that Coinbase does store the vast majority of their BTC in paper wallets[1]. The problem is, Coinbase still has a copy of the private keys associated with your BTC address. While this may hinder the efforts of outside attackers, there still exists a vulnerability with those employees who have access to the systems that move BTC from cold to warm storage. That's why your BTC should always reside in an address you generated yourself and solely possess the private key to.

[1] http://blog.coinbase.com/post/33197656699/coinbase-now-stori...

I mean, I've given them the ability to withdraw money from my bank account so merely trading on CoinBase requires me to believe they won't do that or anything like that. The fact of the matter is that I don't trust CoinBase, but I know that our interests are somewhat aligned. If they damage their reputation by stealing my BitCoins or my cash they lose money because people don't trust them any more. They are backed by people I consider to be reputable and if CoinBase does something shady all of their reputations will suffer.

While this is a legitimate concern, it is not relevant to what happened here - the OP didn't enable 2FA and used the same password on his Twitter account (which was also compromised).

If you turned on your API key Coinbase and someone obtains that key, they can transfer coin on your behalf. From a productive paranoia perspective, I think this is a REALLY BAD IDEA for exactly the reasons posted here. People will use that key to 'try out' coinbase, and then end up forgetting to check their code and upload it to Github or Pastebin and then WHAM, you've got two problems: your Bitcoin is gone and Coinbase now has a marketing problem of potentially epic proportions.

The guys at Coinbase need to turn OFF the API key feature as soon as possible. It has the potential of hurting the entire ecosystem.

Edit: One suggestion to Coinbase would be to change the API key feature to only allow the API methods which don't result in sending payments. This allows quick use of their APIs in doing architectural design and ensures protection against key leakage. A second suggestion is to queue up outgoing transactions initiated by the API key into batches and use alerts (like through Pagerduty or similar) to notify the account owner transactions are pending and need approval.

I disagree. They shouldn't turn off the API access for payments because some people might use it incorrectly. Let's be honest, it takes a special kind of stupid to upload secret keys of any kind to their repos. And if they do, well, they deserve whatever happens to them.

I thought the point of Btc is that there is no "now what".

I use the Google Authenticator style of 2-factor auth with Coinbase using the Authy app.

Seriously - if you're not using 2FA then you're just looking for trouble.

@pg: can you please ban off all those Coinbase support threads? It's getting ridiculous, we're not Coinbase customer support here.

Did you have the two factor verification activated?

There is limited ability to trace transfers by examining the blockchain, but there is no way to cancel or reverse a Bitcoin transaction. Most online wallet services, including Coinbase, offer no explicit insurance against unauthorized transfers.

Welcome to the brave new world!

Same happened to me on MtGox (to make it clear, not their fault, was my own carelessness). Was more than likely related to reuse of password and a hack on another site that used the same acc/pass combination.

There is nothing one can do. MtGox can't protect users from getting their account hacked when it's nothing they've done. I filed a police report, but there's not much the police can do in the case of btc...

One learns from ones mistakes, so, now; stopped reusing passwords, and added two-way auth for important/sensitive things, alas, a bit too late (got 9 btc stolen ;_; although at the time, they were only worth ~100$/btc).

For less than $100, there is nothing you can do except learn from this. There would probably not be anything you could do if it was a few orders of magnitude larger either, so you are lucky.

Hacking is pervasive, but anonymous currencies are providing a more interesting target than sending spam or renting botnets. Generally, security is very poor everywhere but most people don't really notice. This is going to have to change at some point as more of our lives go online.

I've been on the sidelines for BitCoin for the past few years, but it appears to me that it is gaining adoption at least at the early adopter stage and has an insanely long way to go but is becoming increasingly interesting.

I'm researching BitCoin to try to have a really in depth understanding of it. What is the best, even if complex, paper/blog/website on how to properly secure bitcoins?

You can take a look at https://en.bitcoin.it/wiki/Securing_your_wallet and maybe less directly relevant, but still good information is https://en.bitcoin.it/wiki/Weaknesses .

Personally, I keep my btc wallet.dat file in a AES encrypted diskimage (sparsebundle on OS X) in my Dropbox, and then symlink that file to the place where it needs to be on the computer. My wallet is always backed up, and secure enough (you need either physical access to my computer and get the password right, or, access to my dropbox account and, again, the password for the wallet diskimage).

Quite content with my setup, I just mount the diskimage before I open my Wallet application...


"I buried my gold in the forest because I didn't want the government to get their grubby mitts on it. I came back later, after only telling a few folks where it was, and I'm upset to see it gone. Can the government help me?"

There are many ways of tracing transactions. There are no ways of canceling or reversing them.

You trusted your valuables to a third party and were careless with your own access credentials to communicate with that third party. Your fault, your consequences.

I see this sort of story being the downfall of bitcoin. Once a few of these things happen, trust will be lost in it and the bubble will deflate.

(Out of interest, did you "make money" from bitcoin, when it was going up)

I agree, and that's why bitcoin needs accountability. If not bitcoin, then Coinbase. PayPal is a good example of this. For all of the flak they receive, you can trust them to honor reports of unauthorized transactions and feel (mostly) confident making purchases.

I'm very cautious now about considering bitcoin any further. I'm certainly glad I never linked a bank account to Coinbase.

Call the police.

Did you have a mac / windows computer?

Do you have any antivirus software installed?

It most likely had nothing to do with his computer. I could buy a new computer, use it only to consummate a transaction on Coinbase, and destroy it, and I've done little to minimize my risk.

use 2 factor authentication next time, lesson learned. how about you give us the full bitcoin address where the bitcoin being transfered to.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact