KeepKey, a hardware bitcoin wallet, has advised customers that a hacker on December 25th got into the owner’s email account using the wallet’s account recovery mechanism and tried resetting passwords linked to the compromised email address, according to a KeepKey blog. The company shut down the affected email service and reversed the account resets. The hacker then demanded 30 BTC to stop the attacks, which the company did not oblige and notified the FBI. The company said the attacker may have stolen some customer information.
KeepKey is offering a 30 BTC reward for information leading to the hacker’s capture, according to the blog by company founder Darin Stanchfield.
Customer funds were at no time stored on devices that were at risk, according to the blog. The private keys are kept offline. Customers can only spend funds if they have physical access to the device and know the passphrase and/or the PIN.
Stanchfield’s phone and email were compromised temporarily, the blog noted. At around 9 p.m. PST, the attacker activated a new phone under the owner’s PIN protected Verizon account, and used this access to perform an account recovery on Stanchfield’s email account. The attacker then began resetting accounts linked to the email.
The computers, servers and network were never compromised. The entire domain was shut down by 10:30 p.m. and by 11 p.m. a secured, limited email was established to begin reversing the account resets.
The attacker contacted the company by phone and demanded 30 BTC in return for revealing how he got access to the email and what information he received. The company did not agree to pay the money. KeepKey was able to recover every account except for its ‘@bitcoinkeepkey’ Twitter handle.
Stanchfield posted a notice about the incident on Reddit.
The next day, the company filed reports with the FBI cyber division, including phone numbers, browser information, email headers and IP addresses.
KeepKey’s customer support portal was never compromised, the blog noted. The attacker was able to access a sales distribution channel temporarily, a vendor used for logistics, as well as the company’s email marketing account. This meant the attacker had access for a short time to some customer phone numbers, emails and addresses.
The company has notified the customers that could have been affected.
KeepKey devices do not carry identifiable information. It does not have the means to record balances on KeepKey devices or MultiBit installations.
Also read: KeepKey aims at greater accessibility
KeepKey is offering a 30-day refund policy to all customers, whether or not they were affected by the breach.
The company is taking steps to ensure the event does not repeat itself. The email the company uses for business will no longer link to third party accounts that could contain sensitive data.
“This incident serves as an important reminder that any data that lives on a connected device is at risk of breach,” the blog said.
Images from Shutterstock and KeepKey.
Last modified: July 23, 2020 10:30 AM UTC