2013
Bitcoin
Inputs.io Hack
Two attacks totaling about 4100 BTC have left Inputs.io unable to take care of users’ balances
The website is making an attempt to pay back its clients who had more than 1 BTC from its own account and also from the coins they had in “cold storage” – an electronic wallet which was not connected to the net
Phishing Attack with Server-Side Security Bypass
Loss in 2013: $1.2 million
The attacker compromised the hosting account through compromising email accounts. The attacker was able to bypass 2FA due to a flaw on the server host side
Limited recovery efforts were made. Users with large balances received partial compensation.
TradeFortress expressed regret but offered limited explanation or compensation.
Loss in 2013: $1.2 million
Importance of robust email security practices (2FA, strong passwords), vulnerability of hot wallet storage, need for transparency and communication during security incidents.
In November 2013, Inputs.io, a popular Bitcoin wallet service at the time, suffered a major hack. This incident significantly impacted the fledgling cryptocurrency ecosystem, raising concerns about security and highlighting the vulnerability of early adopters.
Inputs.io offered online storage for Bitcoin holdings, promising a user-friendly interface and secure transactions. However, security measures proved inadequate. Hackers exploited two key vulnerabilities:
Compromised Email Accounts: Attackers gained access to user email accounts, likely through techniques like phishing. These emails, some of them old and lacking strong authentication (2FA), were used to reset passwords and gain access to the Inputs.io hosting account.
Server-Side 2FA Bypass: Even though Inputs.io offered two-factor authentication, a flaw on the server-side allowed hackers to bypass this security measure.
The hack resulted in the theft of approximately 4,100 Bitcoins, valued at over $1 million at the time. This represented a significant loss for Inputs.io, forcing it to shut down permanently.
The immediate impact included:
Loss of User Trust: The incident shattered user trust in Inputs.io, highlighting the risks associated with online cryptocurrency storage.
Market Uncertainty: The hack contributed to a period of uncertainty in the young cryptocurrency market, raising concerns about the overall security of Bitcoin.
Inputs.io had limited options due to the severity of the hack.
Shutdown and Communication: The service shut down and informed users about the incident.
Limited Reimbursement: Attempts were made to partially reimburse users with significant holdings from remaining company funds.
Law Enforcement: Due to the nascent nature of cryptocurrency regulation, limited law enforcement action was likely taken.
The hack exposed critical security shortcomings at Inputs.io:
Weak Email Account Security: The lack of strong authentication on user email accounts proved to be a major vulnerability.
Insufficient Server-Side Security: The server-side 2FA bypass exposed a critical security flaw that should have been addressed.
The Inputs.io hack served as a wake-up call for the cryptocurrency community, prompting changes in industry practices:
Enhanced Security Measures: Exchanges and wallet services prioritized robust security measures, including stricter password protocols and improved server-side security.
Focus on Cold Storage: The importance of cold storage, keeping Bitcoin offline, gained traction to minimize online theft risks.
The Inputs.io hack highlighted the vulnerabilities of early cryptocurrency platforms. Lessons learned include:
The importance of robust security measures across the entire infrastructure, including user accounts and server-side operations.
The need for user education on strong password hygiene and account security.
The potential role of regulation in setting security standards for cryptocurrency businesses.
Security experts emphasize the importance of ongoing vigilance in the evolving threat landscape. By adopting best practices and fostering user awareness, the cryptocurrency community can build a more secure and trusted future.
https://cointelegraph.com/news/bitcoin_website_inputs_io_lost_1m_when_hackers_attacked_two_times, https://99bitcoins.com/bitcoin-wallet-service-inputs-io-hacked-by-thief-who-stole-4100-btc/