Several users of Purse.io, a P2P service provider allowing to shop on Amazon with bitcoins, reported receiving unauthorized password reset emails which was quickly followed by unauthorized withdrawals of money from their accounts.

Reddit user akreider first reported the incident on Sunday, 11 October.

“My purse.io account appears to be compromised. I got an email to change the password, a withdrawal request, and then a withdrawal confirmation. Fortunately only 0.36 btc,” he wrote.

Other redditors soon confirmed their accounts were striped too.  In the meantime the service went offline upon the pretext of maintenance.

Later Purse.io resumed its operations. The company admitted that security breach did happen while denying any client funds were affected.

“Our investigation is still ongoing, but current information leads us to believe that one of our third-party email service providers was compromised causing unauthorized password resets for some users. We discovered this quickly, secured funds, and reset tokens for affected users. All funds are secure, and service has been resumed,” the blog post reads.

Purse.io stated that neither hot nor cold wallets were compromised, and users with two factor authentication (2FA) were not affected. The company advised its users to activate 2FA and revealed it was pondering on making it mandatory. However a Reddit user aaronsta1 claimed he had enabled 2FA and still lost his money.

Recently the company published an update finally admitting that 11 user accounts were hijacked and hackers managed to withdraw 10.235 BTC.

“All affected accounts have been reimbursed.  Reports of accounts with 2FA being compromised are not accurate. Some users enabled 2FA after they received reset password emails.  Accounts that were affected will soon regain access.”

At the beginning of the year two large bitcoin marketplaces BitStamp and LocalBitcoins were hacked with a loss of customers’ funds. Later on, BTER, a Chinese bitcoin exchange, also suffered hacker attack and lost 7,170 BTC (approximately $1.75 million) from their cold wallets in mid-February. In June an undisclosed “significant” sum of bitcoins was lost due to attack against cloud mining service Scrypt.CC.

 

Nadya Krasnushkina

Comments  

# X 2015-10-13 07:08
Article Incorrect
Amount was 10. not 10,
10 Bitcoins were stolen