Hackers may have created a fake LocalBitcoin forum page for the popular global peer-to-peer Bitcoins trading service LocalBitcoins, thereby conning “a number” of affected users out of disclosing the info needed to steal their digital coins.
According to a report from LocalBitcoins on Reddit, the exploit was detected on January 26th:
“We would like to inform that today 26.01.2019 at approximately 10:00:00 UTC, LocalBitcoins has detected a security vulnerability – an unauthorized source was able to access and send transactions from a number of affected accounts. Outgoing transactions were temporarily disabled while we investigated the case.”
LocalBitcoins explained that the “security vulnerability” was “related to a feature powered by a third party software.”
A Twitter user known as “Bitcoin Babe” said the attack appeared to involve a “phishing page”:
An earlier tweet by “Bitcoin Babe” states that the fake page was somehow kicking forum users out (or giving them that impression) and then forcing them to “log back in” on the insecure page. “Two-factor authentication details” were also reportedly hijacked in the con:
In the January 26th Reddit communique from LocalBitcoins, the company said that “so far six cases (of theft) have been confirmed.”
The company added:
“For security reasons, the forum feature has been disabled until further notice.”
LocalBitcoins also stated in the announcement that:
The company also “encouraged” users to enable two-factor authentication (2FA)- a system where a numeric string is generated by an app and must be used to log into a crypto-related account in addition to standard login details and password.
But one Reddit forum user expressed concern that the exploit had compromised the soundness of 2FA:
“Is it safe for me to enter my 2fa code now to withdraw? I was one of the six affected and I had/have 2fa enabled. It’s a man in middle type of attack. And yes the attacker didn’t show in my IP log. I changed my password for now but I’m afraid to use my 2fa code for the time being until the server is confirmed secure.”