LocalBitcoins, a peer-to-peer cryptocurrency exchange portal, announced a security breach yesterday, Saturday, January 26.
The breach occurred at around 10:00 UTC (05:00 ET) and lasted for almost five hours before the company intervened to stop the ongoing attack.
During that time, users reported that when accessing the LocalBictoins forum, they would be redirected to a page mimicking the LocalBitcoins login page.
In the background, the hacker(s) would collect the login credentials from users, attempt to log into a user’s account, and then ask for a two-factor authentication (2FA) one-time code, if accounts were protected by a 2FA mechanism.
LocalBictoins stopped the attack by taking down its forum and temporarily disabling transactions on its platform to prevent hackers from stealing money from any other accounts they had managed to compromise.
The exchanged resumed trading activity today when it also published a post-mortem report of its investigation into the hack.
“We were able to identify the problem, which was related to a feature powered by a third party software,” the company said today on Reddit. “For security reasons, the forum feature has been disabled until further notice.”
At the time of writing, it is unclear what forum widget had been compromised to deliver the malicious code that redirected users from the real forum to the phishing site.
LocalBitcoins confirmed that user funds had been stolen in the incident. The exchange said it identified six accounts that had been impacted, at the time of its port-mortem.
The hacker appears to have stolen 7.95205862 bitcoins ($28,200) from five of the victims, according to a Bitcoin address that victims shared online and claimed it belonged to the hacker.
Despite the hacker being able to intercept 2FA one-time codes, the exchange recommended that users enable the feature anyway, as it could still provide better protection against hacks than not using it at all.
“Your LocalBitcoins accounts are currently safe to log in and use – we encourage you to enable Two-factor authentication, if you have not yet,” the exchange said.