BTC-E Bitcoin Exchange and the popular forum BitcoinTalk has become victims of security breaches.
The news was made public by the famous data breach notification site LeakedSource in which it was also revealed that the breaches occurred in 2014 and 2015.
The news bit has come as a shock to many because it is a general perception that crypto-currency sites are the most secure ones given their sensitive nature. After all, the digital currency is being touted as the ultimate way to safely transfer money but if these sites can be hacked so easily then we may never know what’s in store for us users in the future.
You must be wondering how the hackers managed to breach the security of such well-protected forums. LeakedSource has explained that the hackers attacked BTC-E (BTC-E.com) and attempted to access and steal around 568,355 records of its users, which accounted for the entire database at that time. This breach occurred in October 2014.
The attack on BTC-E forum resulted in stealing of critically important user data including emails, user IDs, passwords, Bitcoin’s wallet balance, language settings, registration related information and most importantly their IP addresses.
The next attack happened in May 2015 and this time, the hackers targeted BitcoinTalk (Bitcointalk.org), another popular crypto-currency website. The unidentified hacker(s) got hold of the credentials of numerous servers of the company using social engineering techniques on an employee of BitcoinTalk’s ISP called NFOrce.
Here is a tweet from 2015 in which BitcoinTalk acknowledged that their server was compromised.
Server compromised due to social engineering against ISP NFOrce. There will be extended downtime for forensic analysis and reinstall.
— BitcoinTalk (@bitcointalk) May 22, 2015
The data stolen during the BitcoinTalk hacking feat was also quite sensitive as it also included hashed passwords, birth dates, secret questions and their hashed answers and of course, email IDs. In total, the hackers obtained private details of about 499,593 users.
LeakedSource also clarified that 9% of the stolen passwords were reversed into their cleartext format since these were hashed through MD5. On the other hand, the others were hashed through the SHA256-Crypt algorithm, which the company maintains that would take them approximately one year to crack them. Even then, the will be able to crack only 60 to 70 % of them.
“We are pleased to announce that only 44,869 (9%) of users on Bitcointalk.org used MD5 hashing with a unique salt for passwords. Of those, we have cracked 30,389 or 68%. The remaining 91% of user passwords were hashed with “sha256crypt” and it would take us about a year to crack an estimated 60-70% of them. This method of password storage is far superior to nearly every website we’ve seen thus far, said LeakedSource.”
LeakedSource further explained that the user accounts and passwords that secured them from being exploited were appropriately secure already since both the websites had implemented strong security measures.
It must be noted that breaching the security of crypto-currency sites is no ordinary feat as it requires tremendous skills and social engineering proficiency to conduct a task of this sort. As leakedSource itself noted that the hacked passwords were hashed through a powerful algorithm, which made them fully uncrackable.