Bitstamp, the current largest Bitcoin exchange in volume, tweeted yesterday that their customers should be careful with phishing emails sent to them impersonating Bitstamp.
ATTENTION all Bitstamp USERS - new phishing attempt. Ignore all email with the subject "Bitstamp trading will be suspended for 24 hours".
>
— Bitstamp (@Bitstamp) March 5, 2014
This is really concerning. How did these attackers gain access to the email addresses of Bitstamp's customers?
I remembered that I stumbled upon a /r/bitcoin thread a few days ago from a user that warned users of suspicious emails from Bitstamp. He was wondering how the attackers were able to acquire his email, since he had given Bitstamp an address unique to them (e.g. [email protected]).
In the thread, eleuthria [^1] confirmed that Bitstamp's support had been somehow compromised through his experiences with support.
Bitstamp's email list was confirmed stolen ~2 weeks ago, when a boatload of emails claiming to be from [email protected] (but not sent from any of the BTC Guild mail servers) went out talking about a 3.201 bitcoin transfer. After replying to the people shouting at me for being a scammer, I was eventually able to narrow the source of the leak to Bitstamp at the very least, and likely a few other sources on top of it.
I informed Bitstamp that they had at least a breach on their email list, if not the rest of their system. At first they denied it, but in a follow up they eventually admitted to it.
They then sent out a little security update email mentioning 2FA/password security.
It's already been 2 weeks, and Bitstamp hasn't given any transparency into this issue. It sure feels like they're pulling off a Linode, and trying to sweep this under the rug.
Bitstamp, you're now the replacement to MtGox. Don't screw this up.
[^1]: If you don't know eleuthria, he operates BTC Guild, one of the first and largest Bitcoin mining pools.