The hackers exploited a server-side vulnerability to bypass two-factor authentication
The Inputs.io Bitcoin wallet – a member of the Bitcoin Foundation – is notifying users that a total of 4,100 Bitcoins (around $1.1 million / €800.000) have been stolen as a result of two hacks. Due to the cyberattacks, the service says it’s currently unable to pay all user balances.The attackers hacked the hosting account by compromising some old email accounts. The cybercriminals could easily reset their passwords because there were no phone numbers attached to the accounts.
Inputs.io has a two-factor authentication mechanism, but the hackers managed to bypass it by exploiting a server-side vulnerability.
The Bitcoin wallet service’s database has also been compromised, but Inputs.io assures users that passwords are hashed and securely stored. No additional details have been provided regarding the type of encryption.
The attackers have also transferred Bitcoin backend code to what appears to be a compromised server located at “10;15Hd@mastersearching.com:firstname.lastname@example.org.”
Users who have more than 1 Bitcoin stored at Inputs.io are advised to contact the service by sending an email to support [at] inputs.io, and provide a Bitcoin address for a wallet such as Electrum or Multibit. The emails sent to Inputs.io must come from the same email address that has been used to register an account.
Update. A more detailed guide on how to get a refund if you're a victim of the Inputs.io hack has been published on Bitcoin Reviewer.