Monday, February 8, 2016

Bitcoin stolen from lending startup Loanbase in alleged hack

Bitcoin lending startup Loanbase, Inc. is claiming to have been hacked, although fortunately for customers and the company alike the amount stolen was not huge.

Loanbase advised customers of the hack via email and its Facebook page on Sunday and explained that they had first detected unauthorized access early in the morning of Saturday, February 6.

The company says that hack came via a hole in a WordPress blog, and gave the hackers access to their SQL database, meaning that sensitive user information may have been accessed including e-mail addresses, phone numbers, names, and other sensitive information.

It's not clear at this point what occurred next as Loanbase doesn't describe what happened, but presumably, somehow the hackers used the data from the database to access Bitcoin wallets held by customers.

Loanbase says it believes the loss is "roughly" around 8 Bitcoins ($2,976) but could be as high as 20 Bitcoins ($7440), and all affected customers will be fully reimbursed the amount stolen.

Ticks and crosses

It must be said first and foremost that Loanbase should be praised for its full transparency in disclosing the hack, how it occurred, and more importantly what they are doing about it, which at the time includes taking their website down, resetting passwords, rejecting any withdrawals that have been approved but not processed, and implementing additional security procedures; many other companies can learn a lesson here.

The hack though does raise serious questions about how Loanbase has its Bitcoin wallets set up to begin with.

Let's just presume that the hackers gained access to the wallets via access to a WordPress database: what information was in a WordPress database to begin with and is WordPress the right platform to be using to run a financial services business?

Secondly, and most important, two-factor authentication (2fa) would have immediately limited access to stored Bitcoin, so it can only be presumed that it wasn't in place for these customers; there is some suggestion that customers are given a choice of using 2fa or not with Loanbase but best practice in 2016 is to not give customers a choice as to whether they want to use 2fa or not, and to make it compulsory to avoid exactly what has happened here.

RELATED:  Voxel crowdsale establishes and launches first virtual reality currency

If you're a customer affected by the Loanbase hack you can follow the latest updates on what the company is doing on its Facebook page here.

Image credit: chodhound/Flickr/CC by 2.0
  • About
  • Latest Posts
    • Duncan Riley Duncan Riley Duncan Riley is a senior writer at SiliconANGLE covering Startups, Bitcoin, and the Internet of Things.

    Duncan is a co-founder of VC funded media company B5Media and founder of news site The Inquisitr, and was a senior writer at TechCrunch in its earlier days.

    Tips? Press releases? Intersting startup? email: duncan@nichenet.com.au or contact Duncan on Twitter @duncanriley

    Duncan Riley Latest posts by Duncan Riley (see all)
  • Memories: Internet Archive's new Malware Museum lets you relive viruses of old - February 9, 2016
  • Bitcoin stolen from lending startup Loanbase in alleged hack - February 8, 2016
  • AngelList raised $163m for early stage startups in 2015 as investors diversify their portfolios - February 8, 2016
    • SIGN UP FOR THE SiliconANGLE NEWSLETTER! Join our mailing list to receive the latest news and updates from our team. SIGN UP FOR THE SiliconANGLE NEWSLETTER! Join our mailing list to receive the latest news and updates from our team.
    Source: Bitcoin stolen from lending startup Loanbase in alleged hack

    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)