According to data breach index service LeakedSource, the two famous crypto-currency sites, the BTC-E Bitcoin exchange, and the BitcoinTalk forum, suffered from severe security breaches in the years 2014 and 2015 respectively.
Unlike yesterday’s data breach, at Last, .fm, the user passwords at the above-stated sites were far better in terms of security.
Generally, the crypto-currency community provides better credibility for user data and password, depending on the sensitive nature of the data it deals with.
Data breach at Bitcoin Exchange BTC-E:
In October 2014 hackers penetrated the BTC-E site and about 568,355 user records were stolen, the analysis made at LeakedSource suggests.
The data at Bitcoin Exchange BTC-E contains usernames, emails, passwords, IP addresses, registration dates, language settings, besides other data associated with user’s Bitcoin wallet balance.
According to LeakedSource, some unknown algorithm was used to hash all passwords strings, which made them “completely uncrackable” for the meantime.
Even, if somehow the hashing algorithm is reverse-engineered and the BTC-E passwords are cracked, an attacker can easily get cash from users’ Bitcoin wallets in a stealthy manner.
Data breach at BitcoinTalk:
The data which LeakedSource received and indexed for the popular BitcoinTalk site dates from May 2015 after an incident that was publicly acknowledged by the company on its Twitter account.
In a case of an employee of BitcoinTalk’s ISP NFOrce, an unknown hacker ill-used social engineering technology. The hacker took hold of various credentials related to many servers including those utilized by the BitcoinTalk site. The hacker stole passwords hashes and email addresses, the company’s forum administrators at twitter suspected.
Moreover, the hacker was able to ditch and steal the complete forum database including usernames, passwords, emails, birthdays, secret questions, hashed secret answers. Besides all these credential the attacker also got hold of some other internal forum-related information.
The details of 499,593 users were held in the SQL dump. LeakedSource reported to Softpedia that the data is valid, and if one tries to register an account with any of the email addresses then an error occurs for an existing active account.
LeakedSource said that about 9% of the passwords were hashed by attackers using “MD5 algorithm”, however, the company was able to reverse these passwords back to clear text form in which they existed originally.
While the “SHA256-Crypt algorithm” was utilized to hash the rest of passwords.
LeakedSource reported, “It would take us about a year to crack an estimated 60-70% of them,” and further it added, “This method of password storage is far superior to nearly every website we’ve seen thus far.”