The crooks pulled off the heist after obtaining admin passwords for Linode's network gear. Having infiltrated its systems, the thieves proceeded to target several Bitcoin-related servers, stealing $15k (£9.45k) from one merchant and more than 10,000 bitcoins ($56k, £35k) from Bitcoinica, a trading exchange for the digital currency. Bitcoinica has promised to reimburse customers for any losses. It said in a statement:
Many of you have heard that several bitcoin services were victims of a recent Linode security breach today. Unfortunately, Bitcoinica is also among the services affected.
On 2012-03-01 at 6:30 UTC, our "hot wallet" hosted at Linode and containing over 10,000 BTC was emptied. The unauthorized access is consistent with that experienced by other bitcoin services, described by Linode as unauthorized access from Linode's "customer support interface".
Punters should avoid using any bitcoin addresses previously used to fund their Bitcoinica accounts, Bitcoinica advises:
We must assume that the thief has retained private keys associated with old bitcoin deposit addresses. This would allow them to access any new bitcoins sent to old deposit addresses. As of now, our website will only display new deposit addresses which are not affected by this. However any old bitcoin addresses which you may have recorded for convenience should never be used ever again. This is the most important thing.
Linode admitted it had been compromised and issued a statement to say the digital safety deposit boxes of eight customers had been ransacked. It promised to review and improve its security procedures in the wake of the hack:
This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:
All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.
The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated - no other accounts were viewed or accessed.
Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.
Bitcoins are a form of electronic currency that can be exchanged for real cash. The system relies on public-key cryptography and peer-to-peer networking to transfer the coins between users' wallets. Isolated incidents of cyber-crooks using number-crunching botnets to generate bitcoins were detected last year.
Some miscreants appeared to have moved over to stealing bitcoins directly but it's unclear whether the smash-and-grab raid against Linode is a one-off, or the start of a new tactic in cybercrime. ®
A few things:
1. Linode is the hosting company that I currently use. Fortunately, I'm still just experimenting and don't have any real websites running on it. Nonetheless, its a very popular web host because of its reliability and price. So this hits a wee bit close to home for me.
2. While the fundamental encryption scheme of Bitcoins is still secure... this attack demonstrates that bitcoins can indeed be stolen en-masse from web servers.
3. Some blogs argue that this is a blow to the "Cloud Computing" model of web hosting, at least from the security point of view. Since this attack came in through the customer service portal (aka, from Linode's infrastructure), they avoided passwords or SSH keys and were able to access the servers directly. This twitter post summarizes the sentiment.
Anyway, this hack attack combines a lot of topics discussed in this forum in a new and interesting way. We've got hackers, cloud infrastructure, and bitcoins all in the same topic...
EDIT: Also, I do think Linode is handling this hack very very well. They're in contact with the 8 customers who got hacked, and they know how and where the attackers came in from and why the security measures failed. It only took them 2 days to figure this out. Compare with lol Sony or Verisign or RSA who still don't know what happened when they were hacked... Linode definitely is doing a good job with the cleanup effort. Sucks that they got hacked, but these things happen... and the best we can really hope for is that the hosts have logging set up so that they can eventually figure out what happened.