Administrators of the Ethereum Project have announced today a data breach that affected over 16,500 users of the platform’s community forums.
Ethereum is the name of the platform on which users can trade the Ether cryptocurrency, while the Ethereum Project is the governing body that manages the platform. The Ethereum forum is where most Ether users gather to discuss and share knowledge on Ether mining and trading.
Hacker stole database backup from April 2016
According to the Ethereum Project, an unknown hacker(s) “used social engineering to gain access to a mobile phone number that allowed them to gain access to other accounts, one of which had access to an old database backup from the forum.”
The breach took place last Friday, on December 16. The database backup the attacker managed to get his hands on was taken on April 2016.
The backup contained information about 16,500, including usernames, email addresses, profile data, public and private messages, and hashed passwords.
Most passwords used a strong hashing system
The vast majority of stolen passwords were protected by a strong hashing system. Around 13,000 passwords were hashed with the bcrypt algorithm and were also salted.
Another 1,500 passwords were protected with the default WordPress hashing function and also salted.
Of the 16,500 leaked accounts, around 2,000 didn’t store password data because users employed a federated login system.
It’s the same hacker that stole over $300,000 from investor Bo Shen
The Ethereum Project said the hacker reached out and revealed he was the same person who stole 110,000 Augur cryptocurrency (around $300,000) and an undisclosed amount of Ether funds from renowned cryptocurrency investor, Bo Shen.
The tactics used for both hacks are similar because the attacker also used social engineering to take control of Shen’s phone number and access his cryptocurrency wallets.
In the aftermath of the hack, the Ethereum Project has now reset all forum passwords and is in the process of sending email notifications to all of the users whose data was exposed.
Furthermore, developers are also removing recovery phone numbers from accounts in order to prevent future similar incidents.
Ethereum Project volunteers stolen data to Have I Been Pwned
The Ethereum Project has also reached out to the Have I Been Pwned? service and supplied a copy of the data they believe it was stolen, so users can use the site to find out if their account details have been exposed.
Bleeping Computer has reached out to Troy Hunt, the man behind Have I Been Pwned service. At the time of publishing, according to Hunt, the Ethereum forum data is not yet loaded in the Have I Been Pwned search index.
“I expect I’ll have the Ethreum [sic] data up tomorrow [December 21],” said Hunt, who is also preparing a blog post with more details on the incident.
“This is only the second time a hacked site has self-contributed, they deserve a lot of credit for owning the incident in this fashion,” Hunt also added.
The first company that sent their own data to Have I Been Pwned is TruckersMP, a company that makes trucking simulator games.
Password reset is crucial
Breaking bcrypt-hashed passwords is extremely resource-intensive and time-consuming, but not impossible. If Ethereum users have reused their forum password for more sensitive accounts, such as Ether wallets, it is highly recommended they change it immediately.
The attacker may not be able to break the passwords for all stolen accounts in the following months, but he may be able to cherry-pick the accounts of importance in the Ethereum network, or of users he suspects are in possession of large Ether funds.