Thursday, April 17, 2014

Initial Response regarding Localbitcoins account vulnerability claims

Couple of hours Reddit user don4of4 posted warning to reddit, claiming that localbitcoins user accounts are vulnerable to some kind of exploit.

Similar post has been made on Localbitcoins forums.

So far we have found one systematic and recent attack against LocalBitcoins users, and right now it seems that the amount of users attacked have been under 30, and amount of bitcoins reported has been less than that. The common pattern between these cases has been that prior the transaction there have been login to the account, and the fact that none of the users affected had 2-factor authentication enabled. Most likely explanation to these attacks have been stolen user credentials through phishing or malware. So far nothing indicates that this have been a security flaw on the website itself, but we are going to continue investigating the case.

There have been also two or three isolated cases which does not necessarily fall directly to this pattern*, and those case still need more research before anything can be said from them.

We will continue investigating these cases during the weekend, and meanwhile outgoing transactions might be delayed, since we try to minimize cold storage movements until everything is sorted out. We apologize all inconvenience affected.

*) edit: There have been claims that users with 2FA have been affected. So far we have received three this kind of reports in total during last month, and some further investigation is required before we can draw too many conclusions about these cases.


  1. I would like to state that I HAD TWO FACTOR AUTHENTICATION ENABLED.

    1. Did you set up your Authy app to use your Google Voice number? It's not hard to choose to authenticate with a txt message and if it was going to Google Voice, someone with access to your email would have access to that too.

  2. what is the 2nd step verification? is it a random number from the Authy app?

  3. in my case late 2 hours in send what happend?


Note: Only a member of this blog may post a comment.