“Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances,” the owner wrote in a message headlined “:(“.
“The attacker compromised the hosting account through compromising email accounts (some very old and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.”
TradeFortress ends his message with some advice: “Please don’t store Bitcoins on an internet connected device, regardless of [if] it is your own or a service’s.”
The attacks came in late October, in two separate bursts on 23 and 26 October, but the company waited until this week to notify customers of the incident.
He is attempting to pay back customers who had stored more than 1 BTC (currently worth around $330) from his own personal account, as well as from the coins Inputs.io had in “cold storage” – a wallet not connected to the internet. But that totals slightly more than 1500 BTC, well less than the amount lost.
“I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.”
nputs.io, known as TradeFortress, waits two weeks to report loss of 4,100 Bitcoins in two separate hacks to its customers