A recent breach of Microsoft email accounts now has a motivation behind it. Motherboard, an outlet of Vice, reports victims of the breach are discovering their cryptocurrency exchange wallets have been emptied.
The original data breach allowed hackers to gain access to Outlook, Hotmail and MSN accounts. One user, John Ritmeester, talked about how the hackers used that opportunity: “The hackers also had access to my inbox allowing them to password reset my Kraken.com account and withdrawal [sic] my Bitcoin.”
The way this worked was simple enough. The hackers used their access to set up a forwarding rule, sending any email with “Kraken” mentioned in the email to their own Gmail address. They then would use the “forgot my password” feature on Kraken to send themselves a link to change the password to something new, gaining access to the Kraken account.
Ritmeester discovered the whole thing when checking his email account’s deleted items, finding both a password reset email and a withdrawal request. He lost 1 Bitcoin Core (BTC).
Several other users have reported similar stories. Ritmeester noted that in his case, he did not have two-factor authentication turned on in his Kraken settings, which could have prevented the whole thing.
In response to the new revelations, Microsoft wrote:
“Customers who believe they have been impacted beyond what was outlined in the company’s notification should contact the Microsoft support team for assistance.”
Victims of the hack feel like Microsoft is deliberately holding back full details of the hack to protect themselves from liability. Ritmeester told the outlet that he plans to file a police report, and is considering holding Microsoft liable for his lost funds.
Questions should also be raised if Kraken shouldn’t have a stronger security system around password resets. Considering money is at play, simply having a link sent to an email address, that might already be compromised, simply isn’t enough when some customers have thousands of dollars saved in their exchange wallet. Some verification questions at a minimum would have helped save a few accounts from having losses.
The lack of security on both of Microsoft and Kraken’s part is alarming. Both companies need to prove they can do better, and be more professional about their customers’ security.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.