In a few hours on December 15th, Jeff lost nearly $10,000.
It was 10.6 bitcoins held in the wallet service Coinbase, the most well-funded and widely implemented service on the market. Jeff, who asked that we not use his last name, got the news of the transaction as soon as it happened, and after going back and forth with a customer-service representative, he had his money refunded. Exactly one month later, it happened again.
Coinbase told him he'd been hacked
This time, the news came while he was at the hospital for the birth of his daughter. He hurried to unlink his checking account, only to see a new purchase for $7,000 worth of bitcoins had just cleared. He quickly moved the new money out of Coinbase, dropping it in a secure offline wallet where the hackers couldn't reach it. He'd saved the $7,000 from being stolen, but his original 10.6 bitcoins were now gone for good. Coinbase told him he'd been hacked, and didn't qualify for a second refund.
It's part of a string of Bitcoin thefts that have hit the service in recent weeks. The Verge has confirmed two other Coinbase users with stories similar to Jeff's, one taken for $16,000 and another for $5,000. In the first case, the victim was using two-factor authentication and received a refund; in the second, two-factor hadn’t been enabled and the refund was denied, on grounds that the user hadn’t properly set up the account’s security measures. Several other as-yet-unverified reports have also been posted on the Coinbase subreddit.
The Verge has confirmed two other Coinbase users with similar stories
Researchers from the security firm FireEye say the relatively small scope of the breaches makes it unlikely that Coinbase had a service-wide vulnerability. Instead, the researchers suggested that Jeff and others had been individually compromised, but that Coinbase's unusually powerful API key made them more vulnerable after the attack had taken place. Used to let third-party apps access Coinbase accounts, the right API key will let any program move bitcoins in and out of a given accounts. Once the key is compromised, attackers can even access linked bank accounts to purchase more bitcoins. Users are advised not to authorize the API key if they don't need it, but if an account has been compromised, hackers may decide to authorize it themselves, as Jeff suspects happened to him.
The small scope of the breaches makes a service-wide vulnerability unlikely
Reached for comment, Coinbase CEO Brian Armstrong confirmed that some users had experienced attacks, but emphasized the individual nature of the breaches, saying, "phishing is something that's ongoing. It happens on every major site on the internet." Armstrong also pointed out Coinbase's use of two-factor authentication, a feature that's still missing from many major banking sites. The FireEye researchers agreed: none of these attacks seem to be targeting Coinbase’s own infrastructure. Every indication suggests they are individual exploits targeting individual accounts, and Coinbase’s own user agreement clearly states that users are "responsible for maintaining adequate security and control of any and all IDs, passwords, personal identification numbers, or any other codes that you use to access Coinbase services." For one reason or another, Jeff and the other customers failed to do that. Still, amid real financial losses, it’s easy to see why they feel betrayed.
Any program with the proper API key is able to make its own transactions
In Jeff’s case, the API key was almost certainly at fault. He says he reset the key and disabled it after the first hack, only to find it reenabled by hackers the next time he logged on. A day after Jeff's second hack, Coinbase enabled two-factor authentication via email for anyone attempting to turn on the API key, a change that might have prevented Jeff's losses — but by then it was too late. Even now, any program with the proper key is able to make its own transactions without further authentication.
The attacks come at a critical time for Coinbase, an the Andreessen Horowitz-backed company that has become the Bitcoin market’s largest and most reputable broker in recent months. In January, the company partnered with Overstock.com to handle Bitcoin transactions for the site, the largest retail implementation the currency has ever seen. Smaller sites like BloomNation, Malwarebytes, and payment-tracker Mint signed on with Coinbase shortly after. At the same time, the company has often been the target of phishing schemes, particularly after public user transaction records were discovered this past April. In response to The Verge's report, Coinbase published a blog post this morning that specifically warns against phishing schemes, instructing users to "avoid clicking on suspicious or unknown URLs."
"It was just too easy for someone with the key to take all the funds out of the account."
Much of the blame also lies with the basic structural properties of Bitcoin, which make it impossible to reverse transactions and easy to launder money once it's been stolen. If the same hackers tried to transfer funds from a traditional bank account, the account owner could have a small but crucial window in which to stop the payment, and preemptive antifraud measures could halt the transaction before it took place. Because of the network's open and pseudonymous nature, those protections are extremely difficult to implement in the Bitcoin marketplace.
For his part, Jeff blames the API key and the promises of "bank level security" made on the company's website, a promise Armstrong says he stands by. "It was too easy for someone with the key to take all the funds out of the account," Jeff says of the API key. He wishes the option to enable had been less accessible, more hidden. "I wish it had just never been there." It's particularly galling to him because the key is a developer-level feature that most consumers have no use for. For Jeff, that extra bit of third-party access came with a hefty price tag. As he put it, "I'm just a dude that wants to buy some shit from Overstock."