At the time of writing, everything is back to normal. Blockchain.info, the largest web-based Bitcoin wallet, suffered a DNS hijacking attack today when users accessing the site were pointed to the wrong servers, exposing visitors to all sorts of attacks.
The incident took place around 11:00 GMT when the site’s DNS information changed from CloudFlare to a cheap hosting provider based in Tulsa, USA.
Paranoid Bitcoin users noticed the DNS hijacking right away and started warning each other on Reddit and Twitter.
Blockchain.info took their website offline as they fought to reclaim their website’s DNS records and point them to the right servers.
Blockchain users should change their passwords
DNS hijacks are extremely dangerous since an attacker can point a site’s visitors to his server where he runs a clone of the original website.
During the time Blockchain.info DNS information led users to the wrong IPs, an attacker could have collected login credentials for everyone authenticating on the fake portal.
Users that accessed Blockchain.info today should change their wallet passwords right away.
The same goes for users of mobile or desktop apps that use the Blockchain.info API, which makes queries to the same DNS server.
Everything is OK in Bitcoinland, once again
Blockchain.info staff regained access to their DNS records around 21:00 GMT, when they issued the following statement:
“ Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience. ”
At the time of writing, the Blockchain.info website is functional once again, and its DNS records point to the correct servers.
Name Server: BETH.NS.CLOUDFLARE.COM
Name Server: JAY.NS.CLOUDFLARE.COM
During the attack, Blockchain.info was served from the following two IPs, 220.127.116.11 and 18.104.22.168, loaded from the DNS servers below.
Name Server: DED88057-1.HOSTWINDSDNS.COM
Name Server: DED88057-2.HOSTWINDSDNS.COM