Author

Topic: CryptoThrift escrow service compromised (Read 1419 times)

newbie
Activity: 1
Merit: 0
October 11, 2014, 04:45:49 AM
#4
It has been a week now and my bitcoins that my customer paid are still held in escrow.
I have contacted the support and they claim that they will be released when they are done with the "multisig", its been 1 week now they are holding my 400$ worth bitcoins from me, I hope they plan to give me my money or this will be an issue.
hero member
Activity: 686
Merit: 504
always the student, never the master.
October 06, 2014, 08:20:53 PM
#3
Did you learn your lesson about building commerce related websites on wordpress? We've all been dumb and made mistakes, but the important thing is that you treat this as a learning experience and move away from wordpress immediately, before you get hacked again for the big money.
sr. member
Activity: 420
Merit: 250
October 06, 2014, 08:15:45 PM
#2
Very noble of you to cover the cost
full member
Activity: 208
Merit: 100
October 06, 2014, 08:00:01 PM
#1
In the early ours of Sunday 5th October, CryptoThrift was subject to a well-planned and clinically executed security breach.  Our hot wallet was compromised and our attackers managed to steal a little over 15 BTC of funds that were held in escrow.  The nature of the attack was such that it was not immediately clear that anything had happened, which is why it has taken us until today to take action. 

Fortunately the majority of users funds being held in escrow were safe in offline storage, so the impact of this attack was lessened.  Please be assured that any users that have payments or refunds due will be contacted over the next few days and your money will be paid.  The owners of CryptoThrift are absorbing the cost of this.

Whilst we have not yet completed our investigation, we have identified the attack vector as a vulnerability in a third party plugin.  This was used to inject SQL queries into our database and manipulate the amounts on transactions being released from escrow.  What we have not made public until now is that we have seen sustained and almost-daily attack attempts on the site for many months.  We have been in contact with the Australian Federal Police regarding this, and will be sharing with them all data that we have on this attack as well as all previous attempts.

This attack has prompted us to reflect on our security measures, and we have concluded that we need to make some significant changes to our escrow process, our storage of customers funds, and have a third-party conduct a full security audit.  Until this is complete, we feel we have no choice but temporarily suspend our escrow service for our users, as we simply cannot risk holding users funds.  Effective immediately, buyers will no longer be able to choose to use escrow when purchasing items.  All existing transactions that are in escrow will be honored until they are released or refunded.

CryptoThrift is owned and operated by two guys, both with families and full-time jobs, who run this site in their evenings and weekends to try and create something new for the crypto community.  We have made every effort to provide good customer service and have put 100% of all profits back into development, advertising, and marketing.  A such, the cost of this theft is being covered by us personally.  If our attackers wish to do the right thing and return our funds to us, they can do so by sending it back to 19bBwiFrAaCLxZZoS4grTDoFFVszxzvPMo.  If any of our users wish to help, we would gratefully receive donations of support to the same address. 

We must sincerely apologize to our loyal users for this breach and our decision to temporarily remove our escrow service.  It is heartbreaking for us to see our hard work destroyed by cold-hearted, thoughtless, hackers.

Thanks for all your support, and we hope that you continue to use our site. If you have any comments, please feel free to share them on our blog post

Paul & Ahmad
Team CryptoThrift
Jump to: