Hackers ontdekken lek van $18 miljoen op twee Bitcoin exchanges
White hat hackers hebben $18 miljoen aan cryptovaluta zoals Bitcoin (BTC) ‘ontdekt’ op twee afzonderlijke exchanges. Dat blijkt uit onderzoek van technologiesite CyberNews, die hierover uitgebreid bericht.
‘Lek’ van $18 miljoen
De buit van de goedwillende aanvallers is indrukwekkend. Bij één van de exchanges vond men één miljoen private keys. Eenmaal de private keys in handen, dan heb je de Bitcoin in handen.
Bovendien zijn er duizenden klantenaccounts met daarop gevoelige informatie blootgesteld na de ‘hack’. Opvallende naam: de Europese exchange Lykke is één van de onderzochte exchanges en de resultaten liegen er niet om.
Lykke bewaarde 80.000 private keys op een publieke database, die niet versleuteld was. De keys geven toegang tot cryptovaluta met een huidige marktwaarde van $16,5 miljoen.
Ook de API keys, waarmee onbevoegden volledige toegang tot de beurs kregen, zijn in dezelfde database opgeslagen. Dus niet “cold storage”, op een offline plek zoals een kluis bijvoorbeeld.
Verder zijn ook de mainnet keys gekraakt, die onder meer toegang geven tot $25.000 aan cryptovaluta, in bezit van de exchange zelf.
Kortom, de white hat hackers hebben er probleemloos met de miljoenenbuit vandoor kunnen gaan.
Maar Lykke was niet de enige exchange die slordig met private keys, persoonsgegevens en kritieke bedrijfsdata is omgegaan.
Ook Hubdex, een gedecentraliseerde exchange uit China, gebruikte een publieke database. Zowel de API keys als alle gebruikers – én identiteitsdata lag zo voor het grijpen na een simpele kraak van het wachtwoord.
Om het nog erger te maken, ontdekten de onderzoekers nog één miljoen private keys.
Lykke heeft bevestigd aan de white hat hackers dat de publieke database van hen is en dat ze snel voorzorgsmaatregelen nemen.
De zin “not your keys, not your Bitcoin” gaat eens te meer op.
“KYC risico voor gebruikers”
Ook zijn er zorgen of de strikte KYC-maatregelen niet leiden tot een negatief beleidseffect.
Een risico waar ceo Max Keidun van de peer-to-peer exchange Hodl Hodl al eerder op wees tijdens een aflevering van Hup Bitcoin.
Naar aanleiding van de hack bij BlockFi reageert oudgediende Erik Voorhees als volgt:
Forcing companies to KYC their users endangers those users. It is *not okay* to put 10,000 innocent people at risk in order to make surveillance slightly easier. $15 billion per year is lost due to identity theft – one of the largest categories of crimes. https://t.co/VBttltyK9D
— Erik Voorhees (@ErikVoorhees) May 19, 2020
Lykke heeft inmiddels gereageerd op de aantijgingen en geeft aan dat er geen fondsen verloren zijn gegaan tijdens dit voorval.
[penci_blockquote style=”style-3″ align=”none” author=”Lykke”]
Dear valued Lykke user,
I hope this message finds you well.
I would like to share with you the report we have put together in response to the article published by CyberNews on Monday the 18th May 2020.
Before getting into the details regarding the article content, I would like to start by stating categorically that the information contained in the article is not factually accurate nor complete.
Furthermore, and most critically, no Lykke users have ever lost funds in the circumstances referred to in this article.
In addition to the above, I would like to reassure everyone that the incident from the 11th of May 2020 is not related to what was mentioned in the article.
In the interest of transparency, I will first recap the May 11th incident and then share detailed information on what is described in the CyberNews article.
This email contains:
A summary of circumstances of the 11th of May 2020 and the actions taken.
A detailed review of the circumstances reported by CyberNews article on the 18th May 2020.
Summary of the May 11th 2020 incident
On May 11, 2020, Lykke initiated unscheduled maintenance which started around 11pm CET and lasted nearly 24 hours. The reason for this was the early detection of a list of attempts to get access to accounts. Our Security Team reacted immediately to block these attempts and the corresponding notification was sent to the targeted users. The reason for this targeted breach is that some users had been reusing an old password from another platform outside Lykke that had been compromised. Upon thorough investigation it became clear that the attempt was made via the HFT API.
Shut down the exchange, blocking all actions from all users.
Implemented fixes, removed vulnerabilities and upgraded our APIs to enhance security
Emailed all our users strongly recommending them to change their passwords and always use unique and strong passwords for account security.
Contacted the affected accounts (weak passwords) with clear instructions on how to change their passwords.
No users were left out of pocket after this incident.
Events prior to the CyberNews article from the 18th of May 2020
After investigation by our team, it quickly became clear that the article refers to an interaction we had with CyberNews on the 13th of January 2020. On the Telegram chat exchange, I mistakenly noted that the article covered an incident from 2018. I offer my apologies for that statement.
On the 13th of January 2020, CyberNews advised Lykke that they had identified a non-specific vulnerability in our operations and offered to send a report on this vulnerability. As always, Lykke took a prudent approach and the Lykke Security Team asked for further information to validate the identity of the sender. Meanwhile, the Lykke Security Team simultaneously began reviewing any potential vulnerabilities in the system.
On the same day, before a response was received from CyberNews, the Lykke Security Team took immediate action, regenerating all API keys and all API users were contacted within 24 hours.
Two days later, on the 15th January 2020 CyberNews responded with a report on their findings. While the weaknesses were limited, all required actions by Lykke had already been identified and executed at this point. CyberNews asked for financial remuneration for the report provided. Lykke politely declined this offer and 4 months later, CyberNews published the article related to above mentioned January’s interaction.
Please see below our response to what was covered in the article:
We would like to address each of these issues individually to illustrate the factual inaccuracy of their claims:
Some blockchain-related operational information regarding temporary transition wallets were exposed but no private keys of our users were affected. Nothing can be done with these keys and no assets are accessible. Users keys are hosted in a different service and fully encrypted. As such the information contained in the CyberNews article is factually incorrect in this regard.
There was no access to multisig wallet redeem scripts and user private keys. This was again block-chain related operational data through which no access to private keys or assets was possible. Again, the information in the CyberNews article is factually incorrect in this regard.
Some HFT keys were exposed but this did not provide any exposure or access to main wallets. Furthermore HFT users represent a minority of Lykke’s user base. Once again, the CyberNews article is factually incorrect in this regard.
It was not possible to see Lykke customers information and balances through an unsecured database. Public blockchain transactions were visible without personal details and without any access to main accounts. Again the CyberNews article is factually incorrect in this regard.
For the sake of clarity: no funds were lost and absolutely no private keys were exposed or leaked.
As there was no material breach or exposure of any kind, Lykke did not communicate the detailed circumstances to the entire user base at the time of happening. For the HFT user base, these were contacted individually and informed of the security update required.
Lykke communicated the security updates taken in our newsletter of 31 January 2020.
Lykke would like to state that it believes in transparency and in dialogue between all community stakeholders when it comes to identifying weaknesses in systems. The interaction with CyberNews was no different and we appreciate their attentiveness in this regard. However, we feel it is important to clearly state facts in circumstances such as these.
Lykke will always capitalize on opportunities to learn and improve in areas such as security and communication. We are glad that this opportunity has presented itself without any damage or loss to any users, that we can explain transparently to you the circumstances behind it, and we thank you all for your ongoing trust in us.
Marina Miranda de Mattos
Chief Customer Experience