[Update: Changpeng Zhao’s comments on Periscope added to bottom of post]
Cryptocurrency exchange Binance has confirmed a “large scale” data breach, in which hackers stole more than $40 million in cryptocurrency
In a statement, the company said hackers stole API keys, two-factor codes and other information in the attack.
Binance traced the cryptocurrency theft — more than 7,000 bitcoins at the time of writing — to a single wallet after the hackers stole the contents of the company’s bitcoin hot wallet. Binance, the world’s largest cryptocurrency exchange by volume, said the theft impacted about 2% of its total bitcoin holdings.
“All of our other wallets are secure and unharmed,” said the statement.
“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” the statement read. “The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed.”
“Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that,” the statement said.
Binance said its secure asset fund for users (SAFU) will cover user losses.
Until the company’s investigation is complete, deposits and withdrawals will remain suspended but trading will remain open.
Binance chief executive Changpeng Zhao is set to hold a Twitter ask-me-anything session in the coming hours. TechCrunch will bring you more once we have it.
On Periscope, Zhao gave more details about the hack, saying that it was a very advanced effort executed by “very patient” hackers who waited until they had a number of high net worth accounts. He added that Binance will be able to cover the bitcoin lost without help. The company does not know yet exactly how many users were affected.
The company is currently working with other exchanges to block deposits from hacked addresses. It will be about a week before Binance can release withdrawals or accept deposits again because it needs to “make sure we completely eradicate any trace of hackers in all our accounts and data and that is a pretty tedious process,” Zhao said. He encouraged everyone to change their API keys and two-factor authentication.
In response to questions about potentially issuing a rollback, Zhao said “to be honest we can do that probably within the next few days but there are concerns that if we were to do a rollback on the bitcoin network on that scale, it may have some negative consequences in terms of destroying credibility for bitcoin, so our team is still deciding on that and running through the numbers and checking everything. We will try to maintain very high transparency.”
He added that the idea came from the bitcoin community. “I actually did not know we could do that, but there are serious consequences for doing that, so we will take that very cautiously.”
Further update: Binance CEO Zhao said the company will not pursue a rollback of the bitcoin blockchain.
Zhao’s tweet spawned jokes from others in the industry who mocked the idea that Binance could make such a move:
- Security lapse exposed a Chinese smart city surveillance system
- A leaky database of SMS text messages exposed password resets and two-factor codes
- Chipotle customers are saying their accounts have been hacked
- We found a massive spam operation — and sunk its server
- Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
- Stop saying, ‘We take your privacy and security seriously’
- Robocaller firm Stratics Networks exposed millions of call recordings
- Massive mortgage and loan data leak gets worse as original documents also exposed