Online institutions of all types are vulnerable to hacking, and Bitcoin is no exception: last week, hackers stole over $12,000 worth of Bitcoin currency from Bitinstant, one of the bigger Bitcoin transaction sites. As with many recent hacks, the Bitcoin theft was executed thanks to a bit of social engineering. According to the Bitinstant blog, the attacker went to the company's domain registrar posing as a Bitinstant employee — the attacker had a similar enough email address and knowledge of the employee's date of birth and mother's maiden name. From there, the attacker convinced the domain registrar to make the fake email address the default and to reset the account's password.
Once the attacker had access to the Bitinstant domain, he redirected the DNS to servers in Germany and then to the Ukraine, locking out the Bitinstant employees and gaining access to their email accounts. With control over the email accounts, they reset the login for a Bitcoin exchange and stole the $12,800 in three separate transactions. Getting access to the Bitcoin exchange proved simple because of a lack of two-factor authentication — all the thieves needed was a username and password.
Fortunately for Bitinstant and the company's customers, no personal information was obtained by the hacker — the company says it keeps all personal and transactional data offline to protect user privacy. Sadly, it wasn't as vigilant with other forms of security. Wired reports that Virwox, the Bitcoin exchange hackers raided, has supported multi-factor authentication since September of 2012. "Bitinstant was not using it (they learned and do now)," a Virwox representative told Wired.