Hackers steal $1.2m of bitcoins from Inputs.io, a supposedly secure wallet service

By Richard Boase

Inputs.io bitcoins stolen

Tradefortress, the developer behind bitcoin web wallet Inputs.io, released a statement on his website today, after being forced to close it down in the aftermath of a major hacking incident, saying:

“I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.”

Inputs.io, which was intended to be a high-security bitcoin web wallet, was apparently hacked on the 23rd of October, when thieves stole bitcoins worth over $1.2m at current BPI prices.

The statement, published this morning continues:

“Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

“Database access was also obtained, however passwords are securely stored and are hashed on the client.

“If you stored more than 1 BTC, send an email to [email protected] with a bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you’re using on Inputs. Please don’t store bitcoins on an internet connected device, regardless if it is your own or a service’s.

“I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.”

According to Hacker News, just as in the Bitfloor theft, in which 24,000 BTC were stolen, the bitcoins were stolen from the website’s ‘hot wallet’ – an online wallet which has to operate to process live withdrawals. However, it seems as if Inputs.io was keeping most if not all of their coins online, whereas other services often keep as much as 80% offline.

Inputs.io says that although the hack took place on October 23rd, even depositors who made deposits after that date are not safe, as other users were able to make withdrawals from the shared wallet.

By contrast to a service like Blockchain.info (which, although generally thought of as safe still suffered a security issue back in August), Inputs.io is a shared wallet that manages the balance of its users and their private keys giving them full access to all the bitcoins stored with them.

Blockchain.info account access is secured by an identifier/alias, password combination and two-factor authentication and is generally thought of as secure. However, as with any technology, nothing is foolproof. According to Bitcoin Talk forum user ‘masteroflove’:

“If the blockchain.info domain is compromised, the hacker can serve malicious JavaScript that will record your passwords and can get access to all your bitcoins. That’s why it is recommend to use the Chrome or Firefox blockchain app. But even this isn’t 100% foolproof as an attacker that gains access to blockchain’s credentials can push a malicious update that will automatically update on your browser apps.”

Questions are now being asked publicly about Inputs.io’s main developer Tradefortress, who, whilst still …read more

Source: CoinDesk