Bitcoin to Amazon P2P service provider Purse.io (PurseIO, Inc.) has denied that a compromise over the weekend resulted in the theft of Bitcoin despite multiple users claiming to have had Bitcoin stolen from their accounts.
Details of the theft first emerged on Reddit where users reported having unauthorized withdrawals from their Purse.io wallets, although fortunately most users only reported having small amounts of Bitcoin stolen with one exception where a user claims to have had 36 BTC ($8,967) stolen.
All affected users reported that the same thing occurred: a password reset request was received followed quickly by the unauthorized withdrawal of funds from their accounts.
Disturbingly at least one user who claims to have had Bitcoin stolen was using two-factor authentication (2FA) which is theory should have prevented the coins being stolen without a second step to verify the withdrawal of the BTC from the Purse.io wallet.
Shortly after reports emerged Purse.io went offline for some 5 hours Sunday with a message saying that the site was undergoing maintenance.
Despite claims of theft by users the company subsequently denied funds had been stolen, while still admitting that there had been a breach of security.
“Current information leads us to believe that one of our third-party email service providers was compromised causing unauthorized password resets for some users,” the company wrote in a blog post. “We discovered this quickly, secured funds, and reset tokens for affected users. All funds are secure, and service has been resumed.”
Despite claims to the contrary, Purse.io went on to claim that users with two-factor authentication (2FA) were not affected, and that they suggested that “all users activate 2FA, and we’re looking into making it mandatory.”
Purse.io’s response has delivered mixed messages at best; the company has admitted that they were compromised but have failed to accept that members have had Bitcoin stolen during the time the compromise occurred.
On a reddit comment I got this address from the withdrawal email: 1GsFvMK9PKNYzHFPzT5D4B3SfZ6HN5uamY. The withdrawal did go through to that address. Purse.io uses P2SH addresses (assuming multisig) that sends the change to a new P2SH address after each withdrawal. If you click through that chain you can track over 30 bitcoins that were withdrawn today. With some deeper digging and more unauthorized withdrawal addresses you could account for more.
If Purse.io is claiming that all funds are safe I call that bluff. I wonder how many bitcoins were stolen and if they will be able to cover the loss.
It’s difficult to say the best way a company should respond to a breach and theft of funds that has clearly occurred here, but fence sitting and not addressing the stolen funds does nothing to help Purse.io and instead creates distrust among its user base and the broader community.
We’ll update the post if we hear more.
Image credit: pirhan/Flickr/CC by 2.0
- Latest Posts
Duncan Riley is a senior writer at SiliconANGLE covering Startups, Bitcoin, and the Internet of Things.
Duncan is a co-founder of VC funded media company B5Media and founder of news site The Inquisitr, and was a senior writer at TechCrunch in its earlier days.
Tips? Press releases? Intersting startup? email: email@example.com or contact Duncan on Twitter @duncanriley
SIGN UP FOR THE SiliconANGLE NEWSLETTER!
Join our mailing list to receive the latest news and updates from our team.