Localbitcoins is currently investigating claims of account vulnerability in response to a user who went to Reddit and the Localbitcoin forums to report the theft of bitcoins from their Localbitcoins account.
The Reddit post was made by user don4of4, who said:
“Be advised that sellers and buyers have been reporting stolen funds from their Localbitcoins wallet all day today. I didn’t believe it, but 5 BTC where just debited from my account, despite having a 30 char random password and GAuth enabled. (Yes, my password was changed after heartbleed.)”
In response, Localbitcoins posted to its blog that it was investigating the claims and that it had seen evidence of one “systematic attack” which had targeted 30 users, and that the total amount of stolen bitcoin is less than 30. It is not yet known what has made these 30 users the target. Another Reddit user suggested in a reply that some of don4of4’s usernames and passwords were listed on a leaked database at hackforums.net. However, it has not been confirmed or denied by don4of4 whether they related to the same person.
The only common pattern between the 30 affected users reported by Localbitcoins is that “prior [to] the transaction there have been login to the account, and the fact that none of the users affected had 2-factor authentication enabled.” However, Localbitcoins admitted that it had received three reports in the last month of users having lost bitcoins who were using 2-factor authentication too, but that it needed “more research before anything can be said from them”.
Localbitcoins stated that it will continue to investigate the issue during the Easter weekend, which may cause delays to outgoing transactions. This is because it needs to limit the movement of “cold storage” funds until more is known.
Further to this, Localbitcoins posted to its own forums:
“Currently the hot wallet is not being topped up, so withdrawals are being delayed until the issue is sorted out. We apologize this issue. We will post more information after the investigation reveals more information.”
Other users who commented on the Reddit post, recommended that Localbitcoin users should disable Javascript on their browsers in case the alleged theft was being achieved via cross-site scripting (“XSS”), and withdraw their bitcoin. Again though, it has not been confirmed that XSS is the root of the problem. Moreover, Localbitcoins stated on its blog: “Most likely explanation to these attacks have been stolen user credentials through phishing or malware”.
The best course of action that Localbitcoin users can take, until more is known, is to login to their accounts and enabled 2-factor authentication. This then requires users to supply a password (something they know), and a code that is sent to their phone (proof of something they have).
Clearly, this is still a developing situation, and we will let you know when we know more.