Popular Bitcoin gift card website Gyft.com has recently come under attack from malicious individuals looking to steal customer passwords. As a result of this attempted breach, Gyft has been forced to reset certain customer passwords as a precaution. It was only a matter of time until Gyft had to address this issue, as complaints about stolen usernames and password have been around for quite some time.
Gyft.com Popular Among Password Thieves
Any service linked to financial tools in some way will become the target of unwanted attention somewhere down the line. For popular gift card service Gyft.com, that attention came in the form of people attempting to steal passwords and usernames. Thanks to an anonymous underground source, Gyft.co; was able to track down a cache of account data put up for sale.
What makes this story particularly interesting is how Gyft staff denies any allegations regarding the breach of their platform. While it is not impossible for third parties to get involved in some man-in-the-middle attack, the real perpetrator remains at large for the time being. One thing that can’t be denied is how attackers were able to retrieve Gyft.com usernames and passwords somehow.
Forcing a password reset for certain customers will keep their Gyft.com account safe for the time being, but it remains pertinent to identify the attack vector in the near future. Assuming there is a third party involved somewhere along the line, users will remain vulnerable to passwords being stolen until the matter is resolved.
At the time of publication, no official details were released as to how many customers have been affected by these attacks. Unofficial sources claim – according to Krebson Security – that between five and ten percent of the Gyft.com customer base has fallen victim to password theft so far.
Stepping up customer account security would seem the next logical step for Gyft.com, but this may not solve the problem completely. If there is a third party responsible for these password thefts, the culprit could be found in either the desktop or mobile space. Or perhaps the root cause runs even deeper than Gyft.com itself.
Targeting Bitcoin Services and Platforms
Ever since Bitcoin started gaining more popularity, assailants have been on the lookout for potential weaknesses waiting to be exploited. As the Bitcoin network itself can not be attacked in traditional ways, assailants have to take the other route by targeting services dealing with digital currency payments.
Introducing two-factor authentication to Gyft.com customers would be a step in the right direction as it will prevent unauthorized parties from logging in to user accounts. In the future, blockchain-based authentication could be introduced as well, which effectively eliminates the need for usernames and passwords.
What are your thoughts on Gyft.com user passwords being stolen? Have you been affected by this type of attack? Let us know in the comments below!
Source: Krebson Security
Images courtesy of Gyft, Shutterstock