[UPDATE: A Bitcointalk user under account johoe, having admitted responsibility for extracting 255 BTC from Blockchain, has announced all will be returned to users once they are able to “convince” him of their rightful ownership.
The user has set up a list of affected addresses for users to consult. Blockchain has separately pledged to reimburse any users who find they have had funds removed from their wallet.
“The money has been returned to blockchain.info. Please write to blockchain support to claim refund,” johoe wrote in the Bitcointalk thread earlier today.
There have so far been no confirmations that the full amount originally lost has been re-credited to Blockchain, and Reddit reports the case of a wallet holder allegedly having lost 100 BTC during the period.]
An estimated 250 bitcoins have been “lost” by Blockchain.info following a security lapse during an update yesterday. While this the number of coins has not been actively released, undisclosed sources have provided us with this data point. Blockchain.info is still actively investigating the issue.
A blog post on Blockchain’s website confirmed error messages viewable on several hundred user accounts which read “A security issue affects address X. Please Contact [email protected]”.
According to Blockchain, the issue affected less than 0.0002% of the database and all of the users who are potentially involved have been alerted via email.
Although the post makes no mention of losses having been incurred during the flawed release created by engineers during a software update, Inside Bitcoins has reported—based on speculations made on bitcoin boards—that up to US$90,000 worth of Bitcoin could have gone missing. CEO Nicolas Cary told Insidebitcoins:
“We are currently researching specific incidents, working with affected users, and reimbursing those users which lost funds.”
Blockchain subsequently took responsibility for the error in a Twitter response:
@pete_dushenski We admit we are at fault. We will be working w/affected users to reimburse those whose funds were misplaced.
— Blockchain (@blockchain) 9th december 2014
This type of event is rare for Blockchain, and users within the community are already expressing concern as to the ease with which a seemingly routine operation was targeted and funds potentially stolen.
“I wouldn't be surprised if approximately ∞% more blackhats are reviewing changes to blockchain.info's codebase than bc.i employees,” Bitcoin core developer Peter Todd meanwhile tweeted in light of the news.
The security weakness was seemingly exploited within a two-and-a-half-hour window on the morning of December 8, with Blockchain raising the alarm later that day.
IMPORTANT: security disclosure to our users re: potentially vulnerable addresses: t.co/fBsEV3rdGL
— Blockchain (@blockchain) 8th december 2014
“If you created a wallet, generated a new address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at [email protected] or simply create a new wallet,” users are advised.
Blockchain added that “addresses, wallets and transactions created via the Blockchain.info iOS and Android apps, and the Chrome extension are not affected.”
Meanwhile, Reddit users point out that Andreas Antonopoulos, formerly Blockchain’s chief security officer, may have been “lucky” choosing to leave the company in September.
Update from Nic Cary: This issue was not a security breach, but a consequence of a development release. Blockchain.info identified the issue almost immediately and we're working with a limited number of users to reimburse them and do the right thing.
Did you enjoy this article? You may also be interested in reading these ones: