Canadian Bitcoin exchange Cavirtex is shutting down, after hackers managed to compromise its systems, stealing hashed passwords and two factor authentication (2FA) secrets.
In a statement posted on its website, Cavirtex announced its closure, and that trading would cease on March 20 2015. Balance withdrawals will proceed until 25th March.
Cavirtex, which has been operating for the last three and a half years, is keen to underline that it remains solvent, and that customers’ funds were unaffected by the security breach.
Nonetheless, the damage to Cavirtex’s reputation is done – and it clearly feels that it can’t recover from the situation.
Clients are advised to wipe their browsers of Cavirtex cookies and change their passwords. It makes sense, as ever, to ensure that you are not using the same passwords anywhere else on the net.
Effective immediately, CAVIRTEX intends to cease carrying on an active Bitcoin business and will be winding down its operations in an orderly manner. As a result, effective immediately, no new deposits will be accepted by CAVIRTEX. Trading on CAVIRTEX will be halted effective March 20, 2015. Effective March 25th, 2015, no withdrawals will be processed. CAVIRTEX will communicate with any account holders that continue to hold balances after March 25, 2015.
We have maintained 100% reserves. CAVIRTEX is solvent and remains in a position to accommodate all customer withdrawal requests received prior to March 25, 2015. However, On February 15, 2015 we found reason to believe that an older version of our database, including 2FA secrets and hashed passwords, may have been compromised. This database did not include identification documents.
Because security and the safety of customer funds are paramount to our mission and the success of Bitcoin in general, CAVIRTEX has determined to cease active operations in the Bitcoin business and to return all customer funds. We believe that the damage to the company’s reputation caused by the potential compromise will significantly harm our ability to continue to operate successfully.
As a result of the potential compromise of our database we cannot be certain of the confidentiality of account credentials. Please log into your account and change your password immediately. Please also clear your CAVIRTEX browser cookies. BTC and LTC withdrawal will remain temporarily disabled.
Coindesk reports Caviretx’s CEO as saying that the company has been targeted by hackers for some time. Some how I doubt that they’re only Bitcoin exchange in the sights of online criminals.
Recent examples of other Bitcoin exchanges having trouble with hackers include MtGox, FlexCoin and Poloniex.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Bitcoin exchange shuts down after suspected password breach”
Sure fire way to end the exchange hacking… setup a public receive only Bitcoin wallet the purpose being for a bounty. Then simply put the word out for the heads of the hackers, when there is proof of the hack and the head, they private address of the wallet is given to the winner.
Hackers screw everyone, time to put them into general population.
Physical tokens and phones are easily left behind, lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution needed for important accounts requires the use of the most reliable password.
By the way, some people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password. Something belonging to the password（PIN, passphrase, etc）and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).
It is too obvious, anyway, that the conventional alphanumeric password alone can no longer sustain the demand and we urgently need a successor to it, which should be found from among the broader family of the passwords and the likes.