LoanBase, a bitcoin lending site, sent out a security warning to its users on Feb. 7 saying it had been breached by cybercriminals.

Breach Notice

While the email notice from LoanBase was not officially made public, one user allegedly posted a copy of the statement to Reddit.

“We’ve discovered that there was a security breach, which resulted in the loss of roughly around 8 BTC,” the Office of Inadequate Security quoted the notice as saying. “At this stage this is an estimate based on the confirmed breach of 4 user accounts. The maximum amount which may have been lost does not exceed 20 BTC.”

LoanBase went on to describe the attack further, noting that the compromised accounts were not protected by two-factor authentication. Additionally, the attackers managed to gain access to the company’s SQL database, which houses personal information of users, via a vulnerability in the site’s content management system.

An Underlying Problem

We know this much: Attackers managed to breach the company through WordPress. This exploit does not seem to be the same as some previous WordPress attacks that have recently come to attention, such as the attacks leveraging TeslaCrypt.

WordPress is open source and has many known vulnerabilities in the PHP code that powers it. The underlying problem for LoanBase was that its WordPress blog was on the same server as its business area, leaving the entire enterprise open to attack.

Some users opined on public forums that once WordPress was compromised, the financial database, which was probably the same mySQL database, would be easy pickings. That seems to be exactly what happened.

Though the financial losses may be contained, the continuing problem may be misuse of the user information contained in the business database. LoanBase maintains identification documentation for a prolonged period regardless of whether a user requests to have an account deactivated (rather than actually deleted). Such a strategy may aid in money laundering investigations but can also impact user confidentiality.

What’s Next for the Bitcoin Lending Site?

As of this writing, the LoanBase site is active, but the blog area is disabled. One remediation method that LoanBase may apply is the use of static content. Static content would shield the active code of WordPress from attacker exploitation. The static content also loads faster since it does not need to be interpreted. Of course, moving WordPress to another server away from the financial system seems like a good idea.

All users of WordPress must consider the takeaway here: Don’t put the CMS on the same server as your business. Isolate it well to enhance security.

More from

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…