On December 8, a scheduled software update left Blockchain.info vulnerable for 2.5 hours, and hundreds of bitcoins are reported stolen. Blockchain.info published a security disclosure on their blog and committed themselves to rectifying any issues experienced by affected users.
“When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.
The issue was present for a brief period of time between the hours of 12:00am and 2:30am GMT on December the 8th 2014. The issue was detected quickly and immediately resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses.
We have sent an alert to all users who have potentially vulnerable addresses in their wallets, for which we have an email on file. We are committed to working with any affected users to assess and rectify any issues.
If you created a wallet, generated a new address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at support@blockchain.zendesk.com or simply create a new wallet.
Addresses, wallets and transactions created via the Blockchain.info iOS and Android apps, and the Chrome extension are not affected.
If you have any questions or concerns, please do not hesitate to contact us.”
— Blockchain.info Development Team
Blockchain.info has recently received scrutiny from the development community for it’s security vulnerabilities and was delisted from the wallet section on bitcoin.org after bitcoin developers discussed the vulnerabilities in an ACK/NACK process on github this past week. The scrutiny comes at the heels of a funding round in early October in which Blockchain raised $30.5 million. The funding round was led by Lightspeed Ventures and Wicklow Capital.
In regards to last night’s security vulnerability, Blockchain.info CEO Nic Cary released the following statement via Pando:
“I felt it might be relevant to point out what security steps we have taken recently. The bitcoin.org issue is in flux and bringing an important dialogue into focus regarding web and security standards. Right now, it’s not clear at all what they ‘endorse’ or don’t. The reality is, we’re one of the few companies that can do the right thing in tough situations.
https://github.com/bitcoin/bitcoin.org/pull/663#issuecomment-65656828
The fact remains, we’re one of the few bitcoins companies with an EVSSL Cert, truly open source software, and in the case of our most recent security incident, albeit regrettable, actively involved in security innovation and the discourse of improving user privacy:
We know we have to get better and we will. At the moment, we’re actively reviewing claims and will be reimbursing those users who lost funds.]”
Let us know in our comments section below how you feel about Blockchain.info’s response.
Photo Source: Blockchain.info Online, WaybackMachine Online.