150BTC Coinapult Hack Renews Doubts About Security Fundamentals

150 BTC, worth around 41,300 USD, was stolen from Coinapult’s hot wallet March 17. Coinapult announced the compromise via its Twitter account, and warned customers not to send Bitcoin to existing Coinapult addresses.

Surprisingly, the hacker has yet to move the funds, which can still be seen on the blockchain.

According to the Coinapult team:

“Investigations are ongoing to determine the method of attack. Until we are able to determine and patch the attack vector, we will not re-enable our services. If this takes more than a few days, we will refund customers manually.”

The company has released a document describing the security breach and all the possible vulnerabilities. According to Coinapult there are only few people with access to the hot wallet through SSH keys, and only 2 people have physical access to the affected servers.

Coinapult claims that these servers are kept in a tier 3 data center with layers of physical security. Surprisingly, they also have a second set of production servers with the same access rights which had over 500 BTC stored on it, which the hacker didn’t touch, possibly demonstrating that the hacker did not know about the existence of the second server, and hence proving it likely that it was not an inside job.

Nonetheless, details of the breach remain totally unclear, causing Coinapult to power down and isolate all of the hardware in the data center. The hardware will be disassembled, and a forensic analysis will be conducted on hard drives to see if data from the manipulated logs or anywhere else can be recovered to reveal specific clues.

Coinapult was founded by Ira Miller and investor Erik Voorhees in 2012, and has hitherto survived, remarkably untouched by major attacks.

The Mt. Gox incident, Blockchain.info, Bitstamp, Cavirtex and now Coinapult form a series of high-profile breaches of Bitcoin exchanges and wallet services. Unfortunately, there is not a lot of information available about these incidents, and most of the user’s questions are left unanswered, especially with the Mt. Gox case.

 These incidents, with a more transparent system and a better access control, could have been prevented. Then, with full transparency, instead of the users being left in the dark, users would be able to see and follow what has happened at the very least. The release of this document now by Coinapult clears things up a little bit, but it would be better for these service providers to provide more transparency from the beginning.

Did you enjoy this article? You may also be interested in reading these ones:

Chinese Exchange Gets 'Goxed' for 1,000 bitcoins (UPDATE: Company Responds) Breaking: Bter Hacked, 50M NXT Stolen White Hat Hacker Returns Missing Bitcoins to Blockchain.info