If you would rather listen to a discussion about this news story and the strategies to reduce exchange account hack risk, then check out this clip from the Australian Bitcoin Podcast:
There was a recent Australian news story about a user who had around $100,000 AUD worth of cryptocurrency stolen from his exchange account (to clarify: this did not happen on HardBlock!). The user bought cryptocurrency on the exchange and left it there for several months thinking it was safe. When he later logged back in to withdraw his funds, he discovered a hacker had stolen everything. Unfortunately, because account security is primarily the responsibility of the user, the exchange did not reimburse the stolen funds.
How did this hack happen?
It looks unlikely that this was a targeted hack; instead, the hacker was able to gain access to the account because the user had re-used their email and password on other websites and one of those websites suffered a data leak that affected over one million accounts. The hacker, who got access to this very large list of leaked credentials, used each email and password combination to attempt to log in to various exchanges until one of them worked.
How could the risk of a hack like this be reduced?
Here are our suggestions:
1. Do not keep bitcoin on an exchange or any third-party platform! Withdraw your bitcoin to a wallet which you control the keys to (preferably a cold storage hardware wallet). When in doubt, remember the phrase "not your keys, not your coins."
2. Always use a strong and unique password on both your email and exchange accounts. You can use Bitwarden or another password manager to make it easier to choose and remember strong and unique passwords. See our January Newsletter for more information about using a password manager.
3. Set up two-factor authentication (2FA) on both your email and exchange accounts. See our 2FA help article to understand what it is and how to set it up on your HardBlock account.
4. Use a separate email address for your exchange account rather than the usual email which you use for everything else. Bonus points if you choose a privacy-conscious email service - see our November Newsletter for more information on setting up private email.
5. Turn on email alerts (if possible) for important exchange activity, such as logins from new devices or IP addresses, withdrawal requests, and changes to account settings.
While improving your online privacy and security can seem complicated, it's important to not let "perfect" be the enemy of "good". Some improvements are better than none! And if you follow all of our suggestions, then you will greatly reduce the risk of falling victim to a hack like this, as you stop your account being "low hanging fruit" for a would-be hacker.
Please note we are not paid to advertise any of the above services (e.g., Bitwarden, 2FA solutions, or private email providers) – these are just suggestions based on our research.