Hardware wallet manufacturer KeepKey is offering 30 Bitcoins ($30,400) as a reward for the capture of a hacker who gained access to emails and customer information on Christmas Day.
CEO: email, phone compromised
CEO Darin Stanchfield reported that his email address and phone account had been “compromised,” and was seeking support from tech experts. In a subsequent blog post on New Year’s Eve, Stanchfield went into detail about the hack, which KeepKey engineers managed to contain.
“Around 9:00 pm PST, an attacker was able to activate a new phone under my PIN-protected Verizon account,” he wrote. “They used this access to conduct an account recovery on my email account. The hacker immediately began resetting accounts linked with that email.”
A hair-raising few hours then ensued, with engineers talking to the aggressor by telephone while working to shut down and reset compromised accounts behind the scenes.
Momentary access to customer information
Through accessing Stanchfield’s email, the hacker was able to take control of KeepKey’s Twitter handle, which remains out of reach.
“The attacker was able to temporarily access one of our sales distribution channels, a vendor we use for shipping and logistics, and our email marketing software account. This means he momentarily had access to a portion of our customer data which included addresses, emails and phone numbers,” Stanchfield’s blog post continues.
With the exception of the Twitter account, all compromised domains are now back under KeepKey’s control.
Data overhaul
While funds held on devices were never at risk given the nature of the startup’s data handling, Stanchfield nonetheless promised an overhaul of data-sharing practices to avoid any information being easily available in future.
“We have ensured that the manner with which my email was compromised is no longer possible for myself and the entire company,” he continued. “Moreover, the emails we use to conduct business will also no longer be linked with third party accounts that potentially contain sensitive data.”
The updated data retention policy is due to appear online shortly.
Despite refusing to bow to the hacker’s demands of 30 BTC in return for information, KeepKey is now offering the same amount in return for information leading to his or her successful capture. Two reports were also filed with the FBI Cyber Division over the incident.
KeepKey had only recently added Ethereum support to its storage devices, with creator Vitalik Buterin previously praising the company for addressing user account security issues.