Cyber Incident Victim: Loanbase
Date:
Feb 2016
Location:
United States of America
Summary
A Bitcoin crowd-lending platform suffered a security breach when attackers exploited a vulnerability in its WordPress blog, compromising its SQL database containing user information such as email addresses, phone numbers, and names. Four accounts without two-factor authentication were confirmed compromised, resulting in the theft of approximately 8 BTC, though the maximum potential loss was estimated at 20 BTC before withdrawals were halted. The platform took its services offline, reset all user passwords, and pledged to reimburse stolen funds while implementing additional security measures to detect future breaches earlier. Unprocessed withdrawals were canceled, requiring users to resubmit them upon the site's return.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 6, 2016, Loanbase, a Bitcoin crowd-lending platform, suffered a security breach that led to unauthorized access and theft of user funds. The compromise was discovered on Saturday, February 6, and publicly disclosed the following day. Attackers exploited a security vulnerability in the company's WordPress blog to gain initial access to their systems. This intrusion allowed them to compromise at least four user accounts, all of which lacked two-factor authentication protection. The attackers successfully withdrew approximately 8 Bitcoin (BTC) from these accounts before Loanbase detected the unauthorized transactions. The company immediately terminated its withdrawal process to prevent further losses, though subsequent investigation revealed attempts to withdraw additional funds that could have brought potential losses to approximately 20 BTC. While the attackers accessed Loanbase's SQL database containing sensitive user information including names, email addresses, and phone numbers, they did not compromise the platform's Bitcoin wallets themselves.
Loanbase responded by taking their entire platform offline following the breach discovery. The company reset all user passwords as a precautionary measure and announced plans to implement security updates before bringing the site back online. They committed to reimbursing all users whose funds were stolen during the incident. All pending withdrawals that hadn't been processed prior to the system shutdown were canceled, requiring users to reinitiate transactions once services resumed. The organization acknowledged that the database breach potentially exposed all user records, significantly expanding the incident's impact beyond just financial losses. Loanbase stated intentions to enhance their security monitoring capabilities to detect future breaches earlier, though specific technical details about the WordPress vulnerability exploited in the attack were not immediately disclosed. The platform remained offline through at least February 8 while security improvements were being implemented, with plans to restore service later that day following completion of these updates.