A bug caused by developers at the worlds most popular online bitcoin wallet provider compromised the private keys for addresses generated and used during a time period of several hours.
While a developer was making a scheduled update to the code of Blockchain.info’s bitcoin wallet, a bug was unintentionally created which caused the private keys of addresses made and used during the hours of 12:00 am and 2:30am GMT on December 8th vulnerable to hackers.
The developer mistakenly altered Blockchain.info’s random number generator, the piece of code responsible for generating private keys. As a result addresses generated during the time were compromised and easily hacked, and private keys were exposed. With the private key in public view, any bitcoins remaining in the wallet were at risk of being stolen.
The problem was solved within a couple of hours but not before an unsettling amount of bitcoins was stolen. According to Blockchain.info, only 0.0002% of their more than 2,500,000 users were affected by this bug but according to confirmed reports, hundreds of bitcoins were stolen.
Thieves took advantage of the weak and vulnerable private keys to go on a spree of robberies, but not all of the thieves had malicious intentions. One user on the popular bitcoin forum, Bitcointalk.org, going by the account name, Johoe, said he was testing for bitcoin wallets with weak transaction signatures at the time of the bug and discovered over 1,000 addresses affected by this bug. Knowing thieves would find out soon and go on a bitcoin snatching marathon, he swiped the coins himself so he could prevent real thieves from stealing them and keep the coins in the hands of their rightful owners by returning them.
Not all affected users were so lucky to have their bitcoins stolen from “good” thieves. Redditor anatarious_m claimed 99 bitcoins were stolen from his wallet after he made a transaction at 00:50:03 GMT – 50 minutes into the time the bug was active. His bitcoins were transferred to a wallet whose owner’s identity is unknown.
Blockchain.info has already started efforts to undo the finanical damages and regain the public’s trust. Speaking with BNC News, Blockchain.info’s CEO Nicolas Cary said a email was sent out users verified email address right after the bug was found informing them about the situation. He also mentioned that his support team is working overtime to deal with this issue and all support tickets will be answered.
The company is also reimbursing users affected by this bug. Cary told BNC News after cases are researched, users will be reimbursed in full. He continued saying that they have already reimbursed over 30 people and in the process of doing more.
Not all of the bitcoins they will be reimbursing will be coming out of their own pocket, some stolen bitcoins have been returned to the company. Johoe has confirmed he transferred the over 200 bitcoins he swiped from the weak addresses affected by the bug to Blockchain.info. Now in Blockchain.info’s control, they will be used in their reimbursement efforts.
This debacle comes fresh off the heels of another security disaster. Last week BNC News reported about a string of thefts affecting Blockchain.info users who were connecting to the online wallet service over the anonymity network, Tor. Tor users were having their bitcoins stolen by hackers running malicious exit nodes (the point of the Tor network where the user leaves the network and connects with the regular web). They were able to get the users’ private keys when users connected through the bad nodes to Blockchain.info’s clearnet website. While most of the amounts stolen were relatively small, one user claimed 63 bitcoins stolen, and another claimed 100.
Blockchain.info fixed the problem a few days later by launching a Tor version of their website – allowing users to stay within the network and avoid potenially malicous exit nodes.
If you are one of the affected users who is either trying to get a refund or has got one, please contact the reporter for this story at [email protected].
Sophie is an artist whose secret passion is finance, economics, and technology. She loves keeping up with the ever expanding and evolving world of crypto-currency. When she isn’t painting, she can be found trying to understand the complex inner workings of markets. Another complex system she is fascinated by, are ecosystems. She often observes them on her daily hikes through nature.