Are users to blame?
LocalBitcoins, a decentralized Bitcoin exchange with more than 100,000 users, confirmed reports of a security breach after multiple users complained their digital cash had vanished.
It started when LocalBitcoins user “don4of4” posted on the site’s forums around noon ET on Thursday, writing that she or he lost more than 4 bitcoins despite having a password surpassing 30 random characters and enabling a two-step authentication to log in to his account.
Other users chimed in saying they too had lost bitcoins. On Reddit and Twitter, users warned others to withdraw their funds from LocalBitcoins.
— Patrona Partners (@PatronaPartners) April 17, 2014
At around 2 p.m. ET, the Finland-based company responded to users on the forums saying they were investigating the situation. After about two hours, LocalBitcoins posted an update to its blog, reporting that the breach affected fewer than 30 users and fewer than 30 bitcoins (about $15,000, at current exchange rates).
“Most likely explanation to these attacks have been stolen user credentials through phishing or malware,” LocalBitcoins wrote. “So far nothing indicates that this have been a security flaw on the website itself, but we are going to continue investigating the case.”
The update, posted in broken English, doesn’t fully match up to users’ reports, as it claims that none of the affected users had two-factor authentication enabled.
Bitcoin owners have good reason to be on edge these days. It has been less than two months since Mt. Gox, once the world’s largest Bitcoin exchange, shut down after losing hundreds of millions of dollars of customers’ bitcoins in an apparent hack. Earlier this month, researchers exposed the Heartbleed bug, a catastrophic security flaw that sent shockwaves across the entire Internet.
Unlike most Bitcoin exchanges, which facilitate fully online transactions, LocalBitcoins matches buyers and sellers by geographical location for face-to-face exchanges of cash for Bitcoins. The company’s 110,000 active traders make it the largest decentralized market in the world, according to ArcticStartup.
The LocalBitcoins security incident comes just a day after Mycelium Bitcoin Wallet, a popular Android app, launched a feature that facilitates local transactions, which is almost identically to LocalBitcoins. There is no evidence that the two events are linked.
Update: LocalBitcoins published another more-detailed update on this hack, further supporting the company’s previous statement that the security breach does not reflect a site-wide problem.
Photo by BTC Keychain/Flickr (CC BY 2.0)