Bittrex Account Hacked Even with 2FA
It is shocking to know that a trader's Bittrex account was hacked and he reportedly lost $40k worth of crypto. The most shocking part is that his account had 2FA enabled, but the hacker was able to disable it and steal the funds. This is very tragic and depressing that big exchanges like Bittrex seem not to be acting responsibly, and have failed to effectively implement even the most basic of security measures.
Bittrex Account Hack Story
The below are the events that happened that led to the loss of funds from the Bittrex user.
On July 19th, the hacker was able to get into the user's Google account.
The user had previously enabled "Google Sign-in," a tool to store the password and allow auto sign in.
The hacker easily stole the password from that tool and was able to login to the email account.
The hacker used a photo editing tool to Morph the user's picture and made it look like him holding the passport.
With the hacker having the photo of the user holding the passport, he convinced the Bittrex support team for disabling the 2FA.
The hacker was very smart and immediately put a rule in the mail setting to move the Bittrex mails to trash so that user cannot view the conversations between the hacker and the support team.
The Bittrex support team requested for identity verification for disabling 2FA; the hacker sent an edited photo of the user holding passport and another edited photo showing "bittrex 19.06.2018, Please disable 2FA".
The Bittrex Support team immediately disabled the 2FA, and the hacker was able to then log into the Bittrex account and send all the 40k that user held to his account.
The user later logged in and found out that his account was hacked and shocked to find all his 40k crypto funds stolen.
It took only 25 hours for the Bittrex support agent to disable 2FA with a badly photoshopped identity verification picture.
The Bittrex support team didn't alert the user when they saw the login IP address coming from a different part of the world.
Also, the support agents didn't question for disabling the 2FA and blindly disabled it on user request.
Lessons to be Learnt for the User
Below points are applicable for anyone dealing with their valuable crypto funds.
Please don't store your coins on an exchange, move them to a hardware wallet for medium security or follow Glacier Protocol for utmost security.
Hold only the amount that you want to trade and remaining funds should be moved to hardware wallets or any other cold storage.
Please don't be lazy to enable autologin to your mail accounts that are used to communicate or log in to an exchange where you have stored your coins.
Never reveal your holdings to anyone other than your family. Because it will attract thieves and hackers.
Exchanges also to be Vigilant
Exchanges should be extra vigilant and should focus on securing users' funds, rather than showing interest in adding new coins/token on a regular basis. User account's security should be given the utmost importance, and a great security virtual wall should be constructed for stopping hackers from stealing funds from the users.
Below are some of the points exchanges should adopt to avoid such incidents
Exchanges should be vigilant and should ask as many questions as possible when a user requests for disabling 2FA and only if there is solid reason with proof they should go ahead and disable it.
The exchanges should contact the user directly when there is a login IP coming from a different part of the world than the usual location. They should contact and confirm the location of the user and should temporarily disable the account if the user confirms that it is someone else logging into his account.
The exchange should have several checks in place before withdrawing huge amount of coins from the exchange. At least three checks should be there for big amount withdrawal.
Security questions can be asked during withdrawal, and it would avoid such hacks in future.
It is a collective responsibility for the user and the exchanges to secure their funds and make exchanges a safe and secure place to trade. Crypto cannot go mainstream if hacks are happening on a daily basis. This would scare away the new users who would be bringing in the fiat liquidity into the crypto space.
@kadhir It's shocking to read this. Bittrex support team should work on this. The incident took place 2 years ago when 2FA functionality was there. Bittrex has not added any other security measure apart from 2FA. Funds are not safe there.
True