2013-03-06: BitInstant temporarily taken offline, BitCoins Stolen
Level Three Attack
BitInstant suffered a three-day outage after persistent and sophisticated attackers managed to socially engineer their way to administrative control over a domain registration account. Total losses are $12,480 in BitCoins, but the damage could have been much worse if not for BitInstant's defenses (two-factor authentication for most of their vendors, and storing sensitive information on "offline" services).
Update
Site5, the upstream vendor providing BitInstant's domain name services, made a statement that the attacker already knew the answers to personal verification questions for BitInstant's account. Site5 itself was not socially engineered into revealing the answers, the attacker simply took advantage of their identification and account recovery processes.
Important Tip: When supplying answers for pre-determined security questions, do not use actual personally-identifying information. Most of the time, this information is public record, or you may be coerced into revealing it by some online poll that helps you assemble your band name from the first street you lived on & your maternal grandmother's middle name.
- BitInstant: Events of Friday - BitInstant Back Online
- Net-Security.org: BitInstant back online following breach, Bitcoin theft
- Wired: Hackers Pull Off $12,000 Bitcoin Heist
- (New - Update) Site5: Security & Social Engineering