It looks like another digital currency exchange is biting the dust, as AllCrypt announced on Twitter their site has been breached due to an exploit in WordPress. Assuming this story is true, it may have to do with the SQL injection vulnerability found in Yoast SEO, a very popular WordPress plugin. But then again, why is a digital currency exchange platform using WordPress in the first place?
2015 – Not The Year of Digital Currency Exchanges
If you have not been living under a rock over the past few months, you will have seen many headlines concerning Bitcoin and other digital currency exchanges in 2015. Both January and February have been very sad months, with over half a dozen exchanges being breached or forced to shut down for various reasons.
AllCrypt is the latest addition to that list, as the website now holds a message saying that the platform has been breached and over 40 Bitcoin has been stolen. But there are some very strange “facts” in the message provided by the AllCrypt owner, “facts” which raise even more questions than answers if you ask me.
Running a Digital Currency Exchange on WordPress….
Needless to say, when you run a digital currency exchange, you paint a target on your back for hackers, hoodlums and people who will try to exploit your platform in every way possible. By using WordPress – a popular solution for blogs and news sites – to serve as your digital currency exchange’s platform, you are putting the cat among the pigeons.
While it is no secret that WordPress is a great platform, it is also no secret that some of its features and plugins have more security holes in them compared to any other similar offering in existence. It is a good thing to have so many independent developers working on bringing tools to the masses, but not every developer prides himself/herself on top notch security.
Especially when it comes to widely popular WordPress plugins, such as Yoast SEO – which is used by over 90% of all WordPress site owners – security is not the greatest concern. However, a recent report showed that this popular plugin is vulnerable to SQL injections, which could give an assailant access to everything on your WordPress site.
If you ever owned – or are planning to own – a WordPress website, make sure to update your plugins on a daily basis, either manually or automatically. Granted, these updates can sometimes break things that need to be fixed afterwards through a patch or a rollback. But the amount of times this happens compared to useful [security]updates is neglectable.
What Allegedly Happened
According to the AllCrypt site owner, someone used an exploit in order to access the WordPress admin area, uploaded some files [of unknown original or purpose], finds the Bitcoin wallet on the network and starts flooding it with withdrawal requests. Due to the built-in security, the AllCrypt Bitcoin wallet locks up until a valid withdrawal request is made by any of the platform’s users.
Apparently, the hacker(s) made a legitimate withdrawal request in order to unlock the AllCrypt Bitcoin wallet, and managed to steal 42 Bitcoin in funds. Thirty BTC belonged to customers, whereas the remaining 12 BTC was funds held by AllCrypt. A very sad day for all of those affected, and we hope they will be refunded in some way.
By the looks of things, the AllCrypt owner is in a very emotional state right [and understandably so], but we sincerely hope he/she will do everything humanly possible in order to refund customers. If not, charges may be pressed against them, which would only make matters worse after such a hack took place.
Wez will keep an eye on the situation and report back once we found out more information as to what happened exactly.