After hundreds of bitcoins were stolen directly from the online wallets of Blockchain.info, not to be confused with the actual bitcoin blockchain, the website had some funds returned by a white-hat hacker named Johoe. The white-hat hacker noticed a slew of broken addresses and took some of the funds before malicious hackers could grab them and then returned the fund to Blockchain.info.
Also read: Dan Held Leaves Blockchain.info for ChangeTip to Bring Bitcoin Micropayments Mainstream
Now, to return the funds back to the original holders, George Mandrik sent out an email through the customer support line requesting victims send him their identifier and password.
It should be common knowledge that it is ill-advised to send login information over email due to security risks, especially when finances are involved. A redditor noted their concern, uploading a picture of the email in question that requests the information. Blockchain.info even knows about how dangerous it is to give away sensitive information, like passwords, because they specifically outlined it on their security recommendations page. Under a heading titled “How to protect yourself?” they give a large warning to this kind of behavior, and even promise that the site will never ask for passwords.
“Never give your private information away. BlockChain.info will NEVER ask for your password, mnemonic, backup files, or private key. We NEVER need it and we NEVER want it.”
“NEVER share your account password, mnemonic, backup file or private key with anyone, unless you are willing to share ALL of the funds in your wallet with that person.”
A reasonable skepticism arose after reviewing all of this information that maybe Blockchain.info emails are compromised, or someone with malicious intent was impersonating the company to steal funds in people’s time of need. Mandrik then announced that the message is legitimate, and explained his reasoning.
Mandrik took to reddit to explain himself, saying the following:
“This is legitimate, as I am the handling the refunds for these issues. Because anyone could submit a claim for an address the only way we can be 100% sure the address was in your wallet is if we decrypt the backups we store. This requires the identifier & password.”
“If someone created a wallet today and imported an impacted private key then I would see that. That would be proof that their claim wasn’t legitimate. If they had the impacted address in their wallet since June 2013 then it’s 100% clear to me that the funds are theirs. I wish there was another way to properly do this, but there isn’t. I need to be able to decrypt the backups to investigate each claim.”
He also stressed that the wallet should first be empty and the password should never be used again, something that wasn’t said in the original email. The possibility exists that people are sending Blockchain.info identifiers and passwords to accounts with funds in them, making them vulnerable.
Regardless of reasoning though, it cannot be stressed enough how unsafe this practice can be. The intentions are good and the end goal is to simply return funds to those that lost, but other options should be exhausted before coming to the conclusion that people should send their login information over plain text emails.
Images from Blockchain.info and Shutterstock.