LoanBase, a bitcoin lending site, sent out a security warning to its users on Feb. 7 saying it had been breached by cybercriminals.

Breach Notice

While the email notice from LoanBase was not officially made public, one user allegedly posted a copy of the statement to Reddit.

“We’ve discovered that there was a security breach, which resulted in the loss of roughly around 8 BTC,” the Office of Inadequate Security quoted the notice as saying. “At this stage this is an estimate based on the confirmed breach of 4 user accounts. The maximum amount which may have been lost does not exceed 20 BTC.”

LoanBase went on to describe the attack further, noting that the compromised accounts were not protected by two-factor authentication. Additionally, the attackers managed to gain access to the company’s SQL database, which houses personal information of users, via a vulnerability in the site’s content management system.

An Underlying Problem

We know this much: Attackers managed to breach the company through WordPress. This exploit does not seem to be the same as some previous WordPress attacks that have recently come to attention, such as the attacks leveraging TeslaCrypt.

WordPress is open source and has many known vulnerabilities in the PHP code that powers it. The underlying problem for LoanBase was that its WordPress blog was on the same server as its business area, leaving the entire enterprise open to attack.

Some users opined on public forums that once WordPress was compromised, the financial database, which was probably the same mySQL database, would be easy pickings. That seems to be exactly what happened.

Though the financial losses may be contained, the continuing problem may be misuse of the user information contained in the business database. LoanBase maintains identification documentation for a prolonged period regardless of whether a user requests to have an account deactivated (rather than actually deleted). Such a strategy may aid in money laundering investigations but can also impact user confidentiality.

What’s Next for the Bitcoin Lending Site?

As of this writing, the LoanBase site is active, but the blog area is disabled. One remediation method that LoanBase may apply is the use of static content. Static content would shield the active code of WordPress from attacker exploitation. The static content also loads faster since it does not need to be interpreted. Of course, moving WordPress to another server away from the financial system seems like a good idea.

All users of WordPress must consider the takeaway here: Don’t put the CMS on the same server as your business. Isolate it well to enhance security.