Andreessen Horowitz-backed bitcoin wallet provider Coinbase confirmed via a company blog post on 7th February that âa small handfulâ of its customers have fallen victim to phishing attacks.
The reports of bitcoin wallet security vulnerabilities, however small, have nonetheless reverberated widely in an industry that is being increasingly cast in a shroud of uncertainty by the mainstream media.
A separate account of the incidents by online news source The Verge paints a very different picture of the situation, suggesting that the thefts, while in some cases the fault of Coinbaseâs users, were sizable and perhaps more frequent than has been reported.
The Verge confirmed what it called âa string of Bitcoin thefts that have hit the service in recent weeksâ.
In its piece, it profiled the story of a Coinbase user named Jeff, who lost 10.6 BTC in bitcoins due to theft this December. Whatâs most unique about Jeffâs story, however, is that one month later, his refunded money was stolen from the service yet again.
The media outlet revealed that it has confirmed two separate thefts occurred to users on the service in addition to Jeffâs multiple thefts, for amounts of $16,000 and $5,000, respectively.
The sum total of the thefts, as noted by the piece, is roughly $40,000.
The security firm FireEye told the Verge that it believes it is unlikely that Coinbase suffered a system-wide vulnerability, and that instead, each individual victim was compromised in isolation.
However, it suggested that Coinbaseâs âunusually powerfulâ API may have been a factor:
âThe right API key will let any program move bitcoins in and out of a given accounts. Once the key is compromised, attackers can even access linked bank accounts to purchase more bitcoins. Users are advised not to authorize the API key if they donât need it, but if an account has been compromised, hackers may decide to authorize it themselves.â
FireEye did suggest that the company itself does not seem responsible for the attacks, which were not aimed at its infrastructure. Further, it suggested that Coinbaseâs user agreement clearly states that individuals are responsible for the safety of their private keys.
By using the wallet providerâs two-factor authentication, the report suggested, Jeff could have prevented the loss of his API key, which once his account was compromised may have been reactivated by the hackers.
The San Francisco-based company downplayed the thefts, stating that âphishing is unfortunately common across the Internetâ, and noting that it affects banking institutions, payment processors and retailers in the traditional financial system as well.
Further, the company indicated that, because of the concern over phishing attacks, it has implemented enhanced security measures, that when used with best practices for web surfing, can help limit these occurrences:
âWeâve implemented a number of increased security measures, including expanded two-factor authentication measures designed to help lessen the likelihood of successful phishing incidents in the future. Weâve also added an email verification step for key actions, such as when an API key is enabled.â
Coinbase representatives declined further requests for comment, stating that the blog post represented their official position on the attacks.
Image credit:Â Digital key via Shutterstock
