Wired reports that the owner, apparently a youngster from Australia who goes by the online handle “TradeFortress”, has waited nearly two weeks to notify the affected users and the public about the two breaches (one was executed on October 23 and the other on October 26).
“The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side,” he explained in a post on the service’s main page, adding that Inputs.io is unable to pay all user balances.
“I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement,” he wrote, and urged everyone not to store Bitcoins on a device connected to the Internet - whether it’s theirs or a service’s. This is a change of tune from his initial claims that the Bitcoin wallet service is the most secure there is.
Ultimately, the users who have lost their money are left with no real recourse. Bitcoin wallets are not legally regulated, and financial organisations are still undecided on whether to accept Bitcoin as legal currency. Finally, Bitcoin is anonymous, and once it exchanges hands (wallets), it’s impossible to know whether the transaction is real of fraudulent because it has obviously been authorised.
TradeFortress, who wishes to remain anonymous, says that he’s not the one who organised the heist and stole the money. Of course, this is difficult to prove.
If there’s one thing that this incident does demonstrate, is that anyone can make all sorts of inaccurate or blatantly false claims online, and that it’s not a good idea to keep your money with someone whose identity you don’t even know.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.