Blockchain.info, the largest web-based Bitcoin wallet, suffered a DNS hijacking attack today when users accessing the site were pointed to the wrong servers, exposing visitors to all sorts of attacks.
The incident took place around 11:00 GMT when the site's DNS information changed from CloudFlare to a cheap hosting provider based in Tulsa, USA.
Paranoid Bitcoin users noticed the DNS hijacking right away and started warning each other on Reddit and Twitter.
Blockchain.info took their website offline as they fought to reclaim their website's DNS records and point them to the right servers.
Blockchain users should change their passwords
DNS hijacks are extremely dangerous since an attacker can point a site's visitors to his server where he runs a clone of the original website.
During the time Blockchain.info DNS information led users to the wrong IPs, an attacker could have collected login credentials for everyone authenticating on the fake portal.
Users who accessed Blockchain.info today should change their wallet passwords right away.
The same goes for users of mobile or desktop apps that use the Blockchain.info API, which makes queries to the same DNS server.
Everything is OK in Bitcoinland, once again
Blockchain.info staff regained access to their DNS records around 21:00 GMT, when they issued the following statement:
“ Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience. ”
At the time of writing, the Blockchain.info website is functional once again, and its DNS records point to the correct servers.Name Server: BETH.NS.CLOUDFLARE.COM
Name Server: JAY.NS.CLOUDFLARE.COM
During the attack, Blockchain.info was served from the following two IPs, 198.44.48.226 and 192.236.200.26, loaded from the DNS servers below.
Name Server: DED88057-1.HOSTWINDSDNS.COM
Name Server: DED88057-2.HOSTWINDSDNS.COM
UPDATE: The DNS hijacking attack was also detected by OpenDNS and DNSStream (1, 2). Blockchain.info CEO also posted a blog post about the incident.
We're researching a DNS issue and looking into it. We apologize for the inconvenience. Stay tuned. — Blockchain (@blockchain) October 12, 2016
We're making progress resolving the issue but it may take upwards of several hours until services are fully restored. — Blockchain (@blockchain) October 12, 2016
Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. (1/3) — Blockchain (@blockchain) October 12, 2016
To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. (2/3) — Blockchain (@blockchain) October 12, 2016
Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience. (3/3) — Blockchain (@blockchain) October 12, 2016
All services have been restored & are running normally. We apologize for the long wait, and we’ll continue to monitor things closely. (1/2) — Blockchain (@blockchain) October 12, 2016
For any persisting issues or questions, please connect with our support team: https://t.co/aVTaYqufM4 (2/2) — Blockchain (@blockchain) October 12, 2016