Loanbase hacked via WordPress hole, funds stolen

Popular international Bitcoin crowd-lending platform Loanbase has suffered a security breach, and is currently offline.

The breach was discovered on Saturday and made public on Sunday. So far four user accounts have been confirmed to have been compromised, and none of them had two-factor authentication enabled.

The attackers made off with around 8 BTC, but Loanbase will reimburse users who had their funds stolen.

The attackers did not gain access to the Bitcoin wallets, but did access the company’s SQL database, which contains user information such as e-mail addresses, phone numbers, names, etc.

“We’ve identified several more unauthorized withdrawals from several other accounts, but we had terminated the withdrawal process as soon as we found out about the first 4 transactions. Given that the withdrawal process was stopped, we estimate that the maximum loss is about 20 BTC,” the company explained.

“However, since the hackers were able to access the database, we assume that everybody was exposed. We’ve taken steps to block any intrusions and not allow anymore funds to be lost, but that doesn’t make this intrusion any less damaging.”

According to the notification posted on the organization’s Facebook account, the breach occurred via a security hole in the WordPress blog, but more details about it will be provided at a later date.

The company’s site is still down and is expected to be online again today, after security updates are implemented. All users’ passwords have already been reset, so once the site comes back online users will have to change their password and update their 2FA setup.

“We’re going to implement additional security procedures, which will help with an earlier detection of such breaches,” the company added.

Withdrawals that were approved in the meantime but not processed will be rejected and users will have to initiate them again once the site is back online.

This breach comes less that a month after the Cryptsy Bitcoin exchange announced they have been hacked by attackers who exploited an IRC backdoor inserted into the code of a wallet, and made off with some 13,000 Bitcoin and 300,000 Litecoin.