Purse.io, Bitcoin to Amazon P2P service provider, denied that a compromise resulted in the theft of Bitcoin despite several customers reporting to have had Bitcoin stolen from their accounts.
Details of the theft first appeared on Reddit where customers spoke about having unauthorized withdrawals from their Purse.io wallets. Just one user claimed to have had 36 BTC ($8,967) stolen, most customers said that they lost small amounts of Bitcoin.
Here’s a comment from a Reddit user who found out that over 30 Bitcoins may have been stolen:
“On a reddit comment I got this address from the withdrawal email: 1GsFvMK9PKNYzHFPzT5D4B3SfZ6HN5uamY. The withdrawal did go through to that address. Purse.io uses P2SH addresses (assuming multisig) that sends the change to a new P2SH address after each withdrawal. If you click through that chain you can track over 30 bitcoins that were withdrawn today. With some deeper digging and more unauthorized withdrawal addresses you could account for more. If Purse.io is claiming that all funds are safe I call that bluff. I wonder how many bitcoins were stolen and if they will be able to cover the loss.”
InsideBitcoins reads that several users on Bitcointalk have reported their funds were sent to an unknown Bitcoin wallet address. An updated post revealed that Purse had moved all user funds to safe wallets to prevent money from being stolen.
Plus, Purse.io suggested the use of Authy and Google Authenticator and advised all customers to activate 2FA. Also, the company was looking into making it mandatory.
It’s important to mention that one of the main worries was whether or not Purse.io clients’ financial details were stolen during this so-called attack. A Purse representative provided an explanation on the Bitcoin.com:
“We have received word today of unauthorized password reset notification emails. We are aware of the issue and have secured all funds. All user balances are accounted for and upon completing our investigation, service will resume shortly.”
However, the company writes in a blog post that 11 users were affected and 10.235 Bitcoin were withdrawn. All affected accounts have been reimbursed. Plus, it’s stated that reports of accounts with 2FA being compromised are not accurate.
Some users enabled 2FA after they received reset password emails. Moreover, Purse.io promises to publish technical details of the attack in the coming days, and that the accounts that were affected will soon regain access.