SAN FRANCISCO — Hackers targeted SendGrid, a mass email service used by 180,000 companies including Uber, Pinterest, Spotify and Foursquare, to infiltrate Coinbase, one of the most popular Bitcoin exchanges.
✎ Actually it isn't, it's only available in half the country, and nowhere near the volume of other Exchanges such as Bitstamp. They claim to be The Most Popular Wallet and I won't discredit that, but even that's a stretch.
SendGrid confirmed that one of its Bitcoin-related clients was compromised on Wednesday. It would not name the customer, but Coinbase confirmed in an email on Thursday that hackers had compromised its SendGrid account, though it said no Bitcoin were stolen.
In a statement, SendGrid said it believed the attack was an isolated one. However, the attack follows a similar pattern to an attack last year against a former SendGrid customer, and there is evidence that other Bitcoin companies are being targeted via their mass email providers.
✎ What's worse, is that like many services such as SendGrid, you can pretty much obtain it and use it for free for a while with little to no personal information, allowing hackers to poke and prod at it to find vulnerabilities. I'm not saying that is what happened here, just pointing out the obvious.
Mass email services like SendGrid, which sends 14 billion emails a month, are a powerful tool for hackers looking to send spear-phishing emails on a large scale. SendGrid sends transactional emails on behalf of trusted companies like Spotify and Pinterest, alerting customers to updates in the service and new followers. Most customers don’t even realize the emails are coming from SendGrid, making it more likely that they would take the bait and click on malicious code that grants hackers access to their accounts.
✎ Fortunately allot of people, myself included, don't trust Coinbase in the 1st place. They readily admit monitoring your transactions and there have been multiple accounts of Coinbase poking their nose, in on transactions, where it doesn't belong. This is because the bigger their britches get, the more regulation gets shoved down their throats (and ours), and when you get 6, and counting, rounds of funding, the latest being 76 million, you have the means to comply, thus down the customers throats the regulation is fed as well. So, pretending to be a company nobody really trusts in the 1st place, is not a bulletproof plan. This is not to impugn any efforts on Coinbase or SendGrid's part in the prevention of the success of this plan, but just stating that it could be one of the factors.
Last year, ChunkHost, a fast cloud service provider that accepts Bitcoin and is used by many Bitcoin-related clients, said it was targeted by hackers through its SendGrid account.
Nate Daiger, a co-owner of ChunkHost, said that a hacker had managed to persuade a SendGrid employee to change his company’s account information over the phone, took over ChunkHost’s account and reset passwords for two of its Bitcoin-related clients in an apparent attempt to steal Bitcoin wallets.
✎ Most folks with this level access are not exactly "well-paid", nor the sharpest tools in the drawer, so this feet is not an unreachable accomplishment.
Ultimately, Mr. Daiger said, the attack was unsuccessful because both clients used two-factor authentication, a security mechanism that requires a second password when logging into an account from an unrecognized machine.
✎ For the record, and this should be a given, if you are not using 2 Factor Authentication, then you are going to get hacked. But then again:
DO NOT STORE BITCOINS ONLINE
... like... ever.
Mr. Daiger said this was the second time his company was targeted by hackers through SendGrid. When Mr. Daiger tried to warn other SendGrid customers about the potential security hole in a blog post, he said that he was asked by SendGrid to retract his post. He refused. In an email, SendGrid denied ever asking Mr. Daiger to retract the blog post.
In a statement, SendGrid said that it was not the only email service provider that had been targeted in this week’s attempts to steal Bitcoin, and that the compromise at Coinbase, using its service, was an isolated incident.
“From SendGrid’s perspective, this appears to be an isolated attack on one SendGrid customer, however we are aware that users of other Bitcoin related businesses have been targeted this week with phishing attacks via multiple email service providers,” the company said in a statement.
✎ The naivety here is mind-blowing. Here you have a hackers best friend!
Online, users of two Bitcoin services, including Localbitcoins and Btcjam, complained they were receiving spear-phishing emails through mass email service providers. They did not name the service providers, although one Localbitcoins spear-phishing email appeared to come from Mailchimp, a SendGrid competitor that sends email newsletters on behalf of seven million customers. Mailchimp did not return repeat requests for comment, nor did Localbitcoins or Btcjam.
✎ We have at least two reports of Localbitcoin users losing bitcoin due to this phishing attack as well as admission of the admins.
But the motivation for attacking these companies was crystal clear. ✎ Ya think?
Mr. Daiger said that although hackers were ultimately unsuccessful in stealing Bitcoin, he did not foresee them surrendering their efforts any time soon. “The fact that you could potentially steal thousands or millions of dollars make these attacks pretty motivating!” he said.
Ultimately the answer to this is simple, do not store bitcoins online. It is repeated time and time again here at dinbits.com, and elsewhere, but it's not going to do much. Poeple are going to continue to do it, people are going to continue to try and steal them. People are still robbing banks, and they've been around forever, and with armed guards, thick safes, and NSA grade security. Do you think Bitcoin is going to just start up and be impervious to this? It's not going to happen, at least not anytime soon anyway.