Hackers Take Control of Enigma Using CEO’s Dumped Passwords – Steal Nearly Half a Million in Ethereum
Ethereum and ICOs - the hackers keep getting rich. On Sunday, hackers stole nearly $500,000 in Ethereum from Enigma, a cryptocurrency investment platform provider that was preparing to raise money through an initial coin offering. The hackers took control of Enigma's website, social accounts and its community email list. While Enigma itself hasn't lost any money, hackers posted Slack messages and sent emails to the community making people send money to their wallet.
Enigma had apparently shared with its followers that it would not be collecting any money before the ICO next month, set for September 11. However, many fell for the trick as hackers managed to get 1,492 in ether, worth around $500,000.
Hacked probably using dumped credentials
Some on Reddit have reported that the hackers accessed the email of Enigma CEO Guy Zyskind whose details were apparently dumped in one of the previous data leaks. However, he hadn't changed the password in the aftermath.
"thats what happens when MIT kids think they are just TOO smart to do basic fucking website security measures" - Reddit user
While the company hasn't said if it was Zyskind's email, it has admitted that "certain team passwords were compromised for the enigma.co landing page and Slack." Enigma Project has now implemented new security measures and has also assured to have adopted two-factor authentication for all employee email accounts. Hmm, too late and a little embarrassing for the company to not have followed these basic security measures.
The company also ensures that the website for the Enigma token sale was not accessed. "It resides on a separate, more secure server which was never compromised."
Enigma Project has now taken back the control of its websites and has deactivated Slack for the time being. In a statement on Twitter, it said:
— Enigma Project (@EnigmaMPC) August 21, 2017
This isn't the first time that hackers have targeted an Ethereum related ICO. In July alone, CoinDash lost over $7 million while Veritaseum over $8.4 million. In the same month, hackers managed to make over 32 million in US dollars exploiting a flaw in an Ethereum wallet client, Parity.
CoinDash attack was similar to the latest attack on Enigma as scammers had hijacked the website replacing the wallet address with their own. While CoinDash had agreed to issue tokens to all those who had sent the money to the hackers, it's unclear at the moment if/how Enigma plans to compensate the victims.