Ethereum forum hacked, 16,500 accounts exposed
Tue 20 Dec 2016
Administrators of the blockchain-based Ethereum Project have released a statement announcing a data breach of the platform’s community forum, exposing an estimated 16,500 user accounts.
The Ethereum forum is used as a platform for users to discuss and share knowledge related to mining and trading in Ether cryptocurrency.
According to the Ethereum Project, an unknown attacker employed social engineering techniques to access a mobile phone number linked to several accounts, one of which had access to an old database backup from the forum.
The hack took place on Friday 16th December and the breached database held information from a backup taken in April earlier this year.
The backup data contained information on 16,500 users, including usernames, IP addresses, email addresses, profile data, messages (both public and private), as well as hashed passwords.
Ethereum noted that the large majority of stolen password details were protected by comprehensive hashing. Around 13,000 passwords were hashed by the bcrypt algorithm and were also salted. A further 1,500 were salted and protected with default WordPress hashing.
The remaining 2,000 accounts did not hold password data as the users used federated login systems.
The forum hacker came forward and claimed he was also responsible for stealing 110,000 in Augur cryptocurrency and an undisclosed amount of Ether units from early Ethereum and Augur investor Bo Shen.
The two hacks follow similar lines. Social engineering was used in both instances to hijack mobile phone numbers and access the secure platforms.
Following the forum attack, Ethereum has reset all of the community passwords and is sending email notifications to affected users. Developers are also working to remove recovery phone numbers from user accounts to prevent similar incidents occurring in the future.
The recent hack comes six months after the Ethereum Project suffered an attack via the DAO, or Decentralized Autonomous Organization. In this case, which raised significant philosophical questions over the viability of decentralised projects, the attackers took off with $50 million (approx. £40.5 million) worth of virtual currency.