Some off you may have noticed that bitNZ, the leading NZ bitcoin exchange was offline for quite a days last week, stating that the site was under maintenance. Later the sites admin made an announcement on reddit that the site had been compromised and 39 BTC had been stolen.
“On Monday, 11 August 2014 at 3am NZ time, ~39 bitcoins were stolen from bitNZ.
Our email relay service provider was hacked which enabled the attacker to view all outgoing emails. The attacker used this information to reset user passwords and intercept the password reset email. If the user did not have 2FA the attacker was able to log on as the user and initiate a withdrawal.
At the moment I am still analysing the the event and making sure the vulnerability is plugged (revoke email relay access, reset passwords/api-keys, purge sessions, check if user emails were modified etc).
I need to take the time to do this thoroughly so please have some patience. You can contact me at email@example.com or ask questions on this thread.
I am going to cover the loss. If you would like to donate to help here is the address 1NAVXrA8NnXURzdFNLf79p8YoLPBBfwnFi”
Scary. I really didn’t think we would see this happen in such a small exchange, especially one that was run in such a competent way. It would seem that the hack was not through the site itself, but through the email provider. The admin if bitNZ has again shown what a stand up guy he is by covering the losses out of his own pocket.
The site was up again a few days ago, but with limited access only. Details from the admin, again posted on reddit:
“We are online… sorta. I have disabled most trading features, you can check balances and cancel any open orders. You can also enable 2FA.
Any questions welcome. Thanks for everyones support.
Donations to help cover the costs go here: 1NAVXrA8NnXURzdFNLf79p8YoLPBBfwnFi
Previous announcement here: http://www.reddit.com/r/NZBitcoin/comments/2dak6a/bitnz_announcement/
EDIT: You will need to reset your password before loggin in. Sorry”
If everyone had 2FA enabled there probably won’t have been any bitcoin stolen at all. I urge anyone who uses this exchange to enable 2FA. I would be surprised if we see the admin reaching into his own pocket again to bail out those of us who haven’t taken steps to secure our bitcoins.