This article originally appeared in SiliconANGLE on January 28, 2019.
Popular peer-to-peer bitcoin trading service LocalBitcoins Oy has been hacked, with about 8 bitcoin stolen.
The hack, detailed by the company on Reddit, occurred Saturday and involved an unauthorized source who accessed and sent transactions from a number of affected accounts.
“We were able to identify the problem, which was related to a feature powered by a third-party software, and stop the attack,” LocalBitcoin explained. “At the moment, we are determining the correct number of users affected – so far six cases have been confirmed. For security reasons, the forum feature has been disabled until further notice.”
According to a person on Twitter, the attack may have involved the hackers replacing the LocalBitcoins forum site with a fake phishing site that stole users’ two-factor authentication details to access their cryptocurrency wallets.
Presuming the Twitter user is correct, the attack was via hijacking third-party software.
Lamar Bailey, director of security research and development at Tripwire Inc., told SiliconANGLE that such outside software can be a blessing or a curse.
“Using a third-party application or service can greatly increase your time to market for a product, but you must do your due diligence and validate the security of the code you are integrating,” Bailey explained. “All too often, we see security issues and breaches blamed on a third party where the blame is generally on the company that integrated the third-party code without a detailed security review.”
Mike Bittner, digital security & operations manager at The Media Trust, noted that outside software provoders can introduce a host of risks to enterprise information technology environments.
On average, more than 75 percent of all code executing on websites are provided by third parties,” he said. “These vendors are difficult to monitor, because they operate outside an enterprise’s IT infrastructure, continuously change according user geography, browser and device, and often call fourth and fifth parties to execute.”
Most organizations have little idea even of who the outside providers are, let alone what they do do in their digital environment, he said. “Yet what makes third parties particularly risky is that they tend to be less secure and, unknowingly or not, offer hackers a trusted connection to their clients,” he said. “Leaving these risks unaddressed is tantamount to enabling bad actors to commit identity and financial theft.”
Matan Or-El, co-founder and chief executive officer of Panorays Inc., noted that LocalBitcoins was able to mitigate the damage of this breach after reacting in five hours, but it’s not yet clear what the extent of the damage to its reputation is.
“This type of third-party risk underscores the need for continuous monitoring, which not only alerts companies about breaches, but also prevents such incidents by identifying cyber gaps before they are leveraged by cybercriminals,” Or-El said. “Checking third-party cybersecurity posture is a must for companies so that they can preserve their reputation and avoid the potentially costly penalties of data privacy regulations.”