from Hacker News

So, my Coinbase account was hacked, bitcoin stolen, now what?

by whileonebegin on 12/21/13, 3:14 PM with 56 comments

• by RyanZAG on 12/21/13, 4:45 PM

  Hilarious. The reason for bitcoin is lack of regulation. You know that right? You're using bitcoins and not dollars because it's not regulated and subject to the same oversights and related fees.

  So basically you want the government to have no ability to lock down funds or regulate transfers, yet you also want the ability for the government to step in and stop people who have stolen your bitcoins.

  Can people really be this oblivious? If you have bitcoins, do not just put them on random websites with zero auditing and expect them to be in any way secure. If you don't know how to secure a computer, you need to stay far away from bitcoins, they are not for you.

• by tzz on 12/21/13, 4:30 PM

  How does this happen with two factor SMS verification? Did you enable your API key?

  What is the whole address and transaction id just to trace and see where it went? There is no way to cancel the transaction.

  [edit]

  Here is the info[1] about the transaction. It seems the transaction way relayed by IP address 71.206.70.250, somewhere in Florida (Comcast customer). It also seems the address[2] only holds your balance for now. You can call Comcast and let them know.

  [1]https://blockchain.info/tx/d3f6547f901b45b3c79315e78a1bbcc98...

  [2]https://blockchain.info/address/12aW8jPeEc9iQa5ocXCDReJ6Nij4...

• by chasing on 12/21/13, 4:13 PM

  > A hacker can simply break into your account, steal your bitcoin by sending it off to his own account, and no one has to hold any type of accountability?

  I thought lack of regulation was one of the features of Bitcoin.

• by ForHackernews on 12/21/13, 3:53 PM

  > and no one has to hold any type of accountability? Is there no way to trace, cancel, or reverse a transaction? Is there anything at all I can do?

  You can file a police report. If somebody stole your physical cash, what would you do?

  Bitcoin advocates claim this is a feature, not a bug. They say bitcoin should be the digital equivalent of cash.

• by gexla on 12/21/13, 4:14 PM

  I don't know much about how Bitcoin works. But isn't one of the features of Bitcoin that you can make transfers super cheap? Wouldn't it be best to keep your Bitcoin "wallet" off any internet connected devices and then just make a transfer to Coinbase only when you need to sell Bitcoin to transfer back to your bank? I would think that it would be a bad idea to keep your Bitcoin stored anywhere except in a space you fully control and could keep safe. Though if you have malware on your computer which targets Bitcoin activity then I'm not sure there is much you could do.

  Personally, I would probably get something like a Raspberry Pi (if it's beefy enough) with a Linux distro which runs straight from RAM just for Bitcoin transactions. So, every time you boot up, it's a totally new installation. You could make sure that your media that you are loading it from is ready only. Then enter your Bitcoin info, do your transaction and shut off the computer. Next time you boot it up, new installation again. With these distro's, you don't actually have to install Linux every time, they just run from a read only image typically. I use Puppy Linux.

  This should do a lot to keep you safe from malware. Just using Linux makes you a little less of a target. Using a fresh install every time you boot up reduces your vulnerability window. I'm sure that if you are connected to the internet, anything could happen. If you use this method, you would probably need to be specifically targeted by someone who really knows what they are doing. There are easier targets out there. ;)

• by danielpal on 12/21/13, 5:19 PM

  Authy founder here (we do Two-Factor Auth for Coinbase).

  Looks like you didn't have Two-Factor enabled https://news.ycombinator.com/item?id=6947037). Enable it now. We've stopped lots of Coinbase account password compromises. Most of the time we see that the e-mail was hacked.

  Do the following:

  1. Enable Two-Factor Authentication on your e-mail.

  2. If you use GMail, go to Settings -> Forwarding POP/Imap. Check that no "weird" addresses are added to your account.

  3. Change your E-mail password.

  4. Change your Coinbase password.

  If you have Two-Factor enabled we can also temporarily block your account if you suspect a hacker is trying to get into it. Contact us at support@authy.com and we'll block it.

• by bdcravens on 12/21/13, 5:16 PM

  A hacker can simply break into your account, steal your bitcoin by sending it off to his own account, and no one has to hold any type of accountability? Is there no way to trace, cancel, or reverse a transaction?

  It would seem that you understand Bitcoin very well.

  A review of all of the hacks/breakins/inside jobs since 2011 would have told you this already. You DID research its history, rather than jumping in blind, right?

• by t0 on 12/21/13, 3:44 PM

  They have two factor SMS verification available for every login attempt. But you may just have malware on your computer if you had a really strong password.

• by v64 on 12/21/13, 4:20 PM

  This is a reason why I never leave my BTC in Coinbase. As soon as my purchase goes through, I transfer the BTC to a paper wallet[1] or digital wallet that I control.

  [1] https://en.bitcoin.it/wiki/Paper_wallet

• by kordless on 12/21/13, 4:35 PM

  If you turned on your API key Coinbase and someone obtains that key, they can transfer coin on your behalf. From a productive paranoia perspective, I think this is a REALLY BAD IDEA for exactly the reasons posted here. People will use that key to 'try out' coinbase, and then end up forgetting to check their code and upload it to Github or Pastebin and then WHAM, you've got two problems: your Bitcoin is gone and Coinbase now has a marketing problem of potentially epic proportions.

  The guys at Coinbase need to turn OFF the API key feature as soon as possible. It has the potential of hurting the entire ecosystem.

  Edit: One suggestion to Coinbase would be to change the API key feature to only allow the API methods which don't result in sending payments. This allows quick use of their APIs in doing architectural design and ensures protection against key leakage. A second suggestion is to queue up outgoing transactions initiated by the API key into batches and use alerts (like through Pagerduty or similar) to notify the account owner transactions are pending and need approval.

• by badman_ting on 12/21/13, 4:49 PM

  I thought the point of Btc is that there is no "now what".

• by bound008 on 12/21/13, 4:41 PM

  I use the Google Authenticator style of 2-factor auth with Coinbase using the Authy app.

• by mschuster91 on 12/21/13, 5:06 PM

  @pg: can you please ban off all those Coinbase support threads? It's getting ridiculous, we're not Coinbase customer support here.

• by josu on 12/21/13, 4:17 PM

  Did you have the two factor verification activated?

• by nkohari on 12/21/13, 4:29 PM

  There is limited ability to trace transfers by examining the blockchain, but there is no way to cancel or reverse a Bitcoin transaction. Most online wallet services, including Coinbase, offer no explicit insurance against unauthorized transfers.

  Welcome to the brave new world!

• by Tehnix on 12/21/13, 4:50 PM

  Same happened to me on MtGox (to make it clear, not their fault, was my own carelessness). Was more than likely related to reuse of password and a hack on another site that used the same acc/pass combination.

  There is nothing one can do. MtGox can't protect users from getting their account hacked when it's nothing they've done. I filed a police report, but there's not much the police can do in the case of btc...

  One learns from ones mistakes, so, now; stopped reusing passwords, and added two-way auth for important/sensitive things, alas, a bit too late (got 9 btc stolen ;_; although at the time, they were only worth ~100$/btc).

• by justincormack on 12/21/13, 4:40 PM

  For less than $100, there is nothing you can do except learn from this. There would probably not be anything you could do if it was a few orders of magnitude larger either, so you are lucky.

  Hacking is pervasive, but anonymous currencies are providing a more interesting target than sending spam or renting botnets. Generally, security is very poor everywhere but most people don't really notice. This is going to have to change at some point as more of our lives go online.

• by wtvanhest on 12/21/13, 4:41 PM

  I've been on the sidelines for BitCoin for the past few years, but it appears to me that it is gaining adoption at least at the early adopter stage and has an insanely long way to go but is becoming increasingly interesting.

  I'm researching BitCoin to try to have a really in depth understanding of it. What is the best, even if complex, paper/blog/website on how to properly secure bitcoins?

• by calciphus on 12/23/13, 6:54 PM

  "I buried my gold in the forest because I didn't want the government to get their grubby mitts on it. I came back later, after only telling a few folks where it was, and I'm upset to see it gone. Can the government help me?"

• by sneak on 12/21/13, 5:08 PM

  There are many ways of tracing transactions. There are no ways of canceling or reversing them.

  You trusted your valuables to a third party and were careless with your own access credentials to communicate with that third party. Your fault, your consequences.

• by collyw on 12/21/13, 5:33 PM

  I see this sort of story being the downfall of bitcoin. Once a few of these things happen, trust will be lost in it and the bubble will deflate.

  (Out of interest, did you "make money" from bitcoin, when it was going up)

• by bhousel on 12/21/13, 4:36 PM

  Call the police.

• by bkmrkr on 12/21/13, 4:42 PM

  Did you have a mac / windows computer?

  Do you have any antivirus software installed?

• by hillybilly on 12/21/13, 4:49 PM

  use 2 factor authentication next time, lesson learned. how about you give us the full bitcoin address where the bitcoin being transfered to.