Bitstamp was hacked 2 weeks ago, and only now users are finding out

Bitstamp, the current largest Bitcoin exchange in volume, tweeted yesterday that their customers should be careful with phishing emails sent to them impersonating Bitstamp.

This is really concerning. How did these attackers gain access to the email addresses of Bitstamp's customers?

I remembered that I stumbled upon a /r/bitcoin thread a few days ago from a user that warned users of suspicious emails from Bitstamp. He was wondering how the attackers were able to acquire his email, since he had given Bitstamp an address unique to them (e.g. bitstamp1823@ttian.com).

In the thread, eleuthria [1] confirmed that Bitstamp's support had been somehow compromised through his experiences with support.

Bitstamp's email list was confirmed stolen ~2 weeks ago, when a boatload of emails claiming to be from support@btcguild.com (but not sent from any of the BTC Guild mail servers) went out talking about a 3.201 bitcoin transfer. After replying to the people shouting at me for being a scammer, I was eventually able to narrow the source of the leak to Bitstamp at the very least, and likely a few other sources on top of it.

I informed Bitstamp that they had at least a breach on their email list, if not the rest of their system. At first they denied it, but in a follow up they eventually admitted to it.

They then sent out a little security update email mentioning 2FA/password security.

It's already been 2 weeks, and Bitstamp hasn't given any transparency into this issue. It sure feels like they're pulling off a Linode, and trying to sweep this under the rug.

Bitstamp, you're now the replacement to MtGox. Don't screw this up.

[1]: If you don't know eleuthria, he operates BTC Guild, one of the first and largest Bitcoin mining pools.



3 responses
Wait, what did Linode pull that I missed? I haven't been a customer with them for a while, but I was always very pleased with their service and offerings.
A Linode's sysadmin was allegedly accomplice to allow an online bitcoin wallet service provider to be completely robbed. I think the service was Bitcoinica. He allegedly abused his power as a sysadmin to steal the private keys (and all bitcoins) of the web wallet service. Read this: http://blog.zorinaq.com/?e=67 and you can google more...
Wow, I'd heard about the robbery on a Linode - didn't know those details. Thanks.