KeepKey, a hardware bitcoin wallet, has disclosed how a brief compromise of the company phone and email enabled the attacker to reset some account passwords. Here’s how KeepKey responded to the attack and the attacker:
A Message from the Founder About Email Breach
Our guiding principle at KeepKey is building open and transparent products for our most valuable asset – our customers. We have an obligation to you and to the community at large to communicate with the same respect towards our ideals. That is the purpose of this message.
Before I describe the breach in detail, please let me reassure you that at no time customer funds stored on KeepKey devices were at risk. KeepKey is an offline device, and the private keys each contain remains offline. This is why we built KeepKey: anything that is accessible online can potentially be breached remotely. Funds on KeepKey can only be spent if you have physical access to the device and know the PIN and/or passphrase that grants usage.
What Happened
On December 25, 2016, my company email and phone were temporarily compromised. Around 9:00pm PST, an attacker was able to activate a new phone under my PIN-protected Verizon account. They used this access to conduct an account recovery on my email account. The hacker immediately began resetting accounts linked with that email. I detected the email issue at 10:00pm. Because our servers, computers, and network were never compromised, we were able to shut down all email for the entire domain by 10:30pm. By 11:00pm, we had set up a secured, limited email server that let us begin reversing the account resets that the attacker had performed. At the same time, the attacker contacted us by phone seeking payment as we were beginning to reverse the damage. The attacker spoke with an engineer who was assisting on our end. The attacker demanded 30 BTC, and in return he promised to: tell us how he got into my email, what information he received, destroy the data, return all accounts, and keep the breach secret. For us, there was no deal to be made. Instead, we used the opportunity to keep the attacker pre-occupied while we recovered accounts.
During that phone call with the attacker we were able to recover every account except our @bitcoinkeepkey Twitter handle. The attacker had switched the email linked to the account, slowing progress on this one issue. When we finished account recoveries, the engineer asked the attacker for more time, and the attacker told him we had 2 hours to comply. At this moment the decision was made to notify the community, even as more accounts were secured. I posted on Reddit and an engineer reached out to highly followed community members.
The following morning, KeepKey filed two separate reports with the FBI Cyber Division, including all the information about the attack that we had learned to that point. This included IP addresses, phone numbers, browser information, and email headers. We assume that the attacker took steps to mask a lot of this information.
Assessment
KeepKey’s computers, servers, and network were never compromised. Our customer support portal was not compromised. The attacker was able to temporarily access one of our sales distribution channels, a vendor we use for shipping and logistics, and our email marketing software account. This means he momentarily had access to a portion of our customer data which included addresses, emails, and phone numbers. We have notified those customers that may have been affected. Because we value the privacy of customer’s financial transactions: KeepKey devices carry no identifiable information, and we never learn anything about the devices that are operating in the field unless that information is shared voluntarily and manually by a customer in support. This is also the case with MultiBit software users. That means that at KeepKey we neither have the ability to know or to record what balances exist on KeepKey devices or MultiBit installations. Therefore, the attacker never had an opportunity to glean this information.
No customer funds stored on KeepKey devices were ever at risk, and they remain safe.
Going Forward
First, for all of our customers affected or not, we would like to extended our normal 30-day refund policy. For the next 30 days, we will honor any refund request as long as the device is returned. I would like to emphasize that funds stored on KeepKey are safe and were never at risk.
At KeepKey, we are taking additional steps to make sure the event that transpired never happens again. This includes changes to our data retention policy. We are firm believers in the idea that data that does not exist cannot be stolen. We will publish this policy on our website once it is complete. We have ensured that the manner with which my email was compromised is no longer possible for myself and the entire company. Moreover, the emails we use to conduct business will also no longer be linked with third party accounts that potentially contain sensitive data. This incident serves as an important reminder that any data that lives on a connected device is at risk of breach. This is the very reason why we built KeepKey, and why cryptocurrency users, as well as the general public, must embrace the idea of offline hardware security.
Reward
Although there was absolutely no way we would ever negotiate with or pay off a criminal to keep this breach secret, we do want to see his capture. We are offering 30 BTC, the amount he requested, as a bounty. Any tips that leads to an arrest qualifies for this reward. Information can be provided anonymously: just include a bitcoin address for payment of the reward.