Another Web Wallet Bites the Dust: Inputs.io

This time it is Inputs.io.

🙁

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

Database access was also obtained, however passwords are securely stored and are hashed on the client. Bitcoin backend code were transferred to 10;15Hd@mastersearching.com:mercedes49@69.85.88.31 (most likely another compromised server).

What about my coins there? If you stored more than 1 BTC, send an email to support@inputs.io with a Bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you're using on Inputs. Please don't store Bitcoins on an internet connected device, regardless of it is your own or a service's.

I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJSeuZ9AAoJEB7FawRj3T8Th5QH/iapt2DUuyy1j7t51y1N1LOk
+Gu5fdIAV8molXnv+InMQvxtfxWfc7zKiROSP6Zv1cXdvMrCyzKP+SnTEFshIa+0
j2FYOgLeMNmsPSw8yeR1O8vJieYlK+7imEZL4nRKA+O+mjqCT1nTCtBUAVcYQ8Uu
O6BoNLkgT8z/1ZTfw+OK4t2kw9KcC317JOv3yVugfA3xCn4HbKPRP2yFIKR49C7L
w7C2h3L1jHqLerQNjbowcyKH83BFJ2IB0cFZFFCLBI+8NQcUIcIFymxrxUV73Rqa
xlMPX2rPFcIj6yz0ABl1t2rwY2DGOvc33MYCzX82CumLx/qAXCd2uF/jG6fzQ5M=
=Ip/9
-----END PGP SIGNATURE-----

Access inputs.io if you want to verify your balance, look up your transactions, etc. Don't add coins.

Taken from their homepage. At the moment if you had a balance there it appears you can try to make a claim, partial payments so far seem to be going through. In the past though hoping and waiting hasn't generally made people whole even when personal assets were proposed as a backstop against losses. Time should tell soon how this situation plays out.

If you keep Bitcoin on a web wallet seriously stop that shit. The one redeeming feature of Inputs.io was its off chain transactions. I'm only out a few tens of mBTC in this incident, but this continues to show that the model of security that was fit on the web to secure email and twitter accounts is in all likely hood entirely insufficient to secure Bitcoins.

Adding insult to injury Inputs.io was apparently hosted on Linode long after they were determined to be unfit for continued use, much less for a task as important as storing Bitcoins.1 May this be the last warning, stop keeping coin you can't afford to lost on web services.


  1. Inputs.io as a service didn't come into existence until the summer of 2013.  

One thought on “Another Web Wallet Bites the Dust: Inputs.io

  1. Pingback: The Worst State of the Union | Bingo Blog

Leave a Reply

Your email address will not be published. Required fields are marked *