A security researcher for MacKeeper, a Mac security firm, found a database of information about Coinroll customers that anyone could have downloaded, according to Softpedia.
Coinroll Runs An Audit
A message on Coinroll’s website said the company is running a full audit in an attempt to determine if users were compromised. The notice said withdrawals and deposits will be disabled until an investigation is complete to make sure all balances are safe. It said only a few user funds were compromised. The company said it will add the option of a two-factor authentication feature.
Coinroll advised users who created an account prior to April 7 to contact support and ask for a password change. For those with no balance, Coinroll recommended using a new account.
Chris Vickery, a security researcher for MacKeeper, said on March 30 he found a MongoDB database holding 4,610 Coinroll user accounts connected to 9,668 bitcoin wallets. The database did not have an administrative password, which means anyone could have downloaded the content. The database exposed passwords for all the accounts.
The password strings were hashed with an SHA256 cryptographic algorithm, but they were not salted, the process that adds random data to each SHA256 hash and makes them impossible to crack.
Someone could compare the SHA256 hashes of common password strings and discover accounts and wallets with ineffective credentials.
When Vickery reported the database to Coinroll, Juan-Samuel Codina-Fauteux, Coinroll marketing and affiliate manager, said the administrators were working on the problem.
Also read: BTC casino bonuses are rising
User Balances Stolen
Codina-Fauteux said some users reported having their balances stolen. He said some users received refunds.
The exposed database was caused by a recent Ubuntu update that altered some rules of the firewall. This technical error contributed to the database becoming accessible on the Internet. Ubuntu is an open source, cloud-based operating system.
Coinroll’s IT staff admitted they forgot to set a MongDB administrative password.
The company said they plan to move from Ubuntu to Fedora operating system to prevent future update issues.
Vickery said either someone found the exposed database before he did and compared the SHA256 hashes to common passwords, or someone else found the database and manipulated login data via MongDO injection attacks.
Featured image from Shutterstock.