CoinStats Hack: 1,590 Wallets Compromised, Users Report Missing Funds

[ABCbits]

CoinStats Hack: 1,590 Wallets Compromised, Users Report Missing Funds

On June 22, CoinStats, a popular crypto portfolio tracking platform, announced a security breach affecting some of its iOS users who received a scam notification claiming a reward.

This notification directed users to log into the CoinStats AirScout wallet, leading them to a malicious website. CoinStats revealed that the breach specifically targeted wallets created within their app... Read more here.


It seems this portfolio tracking/wallet software is rather popular. If you use it, you might want check spreadsheet shared by CoinStats which stated on the full news. Although they haven't shared how it happened and their website currently only show message "Temporarily Unavailable". Your opinion is greatly appreciated.

[hugeblack]

I stopped using CoinStats in 2021, and it is unfortunate that the company’s servers were hacked, but I do not think you can create wallets using CoinStats. The last time I visited the site was a while ago, but it is supposed to be a service to track your crypto address or MPK, so it will affect users’ privacy.

[Lucius]

I couldn't open the link from OP because it was blocked with a CF captcha, so I looked for another source of news and as far as I understand, this is not about hacking user wallets on this service, but about the fact that users are enabled to connect all their wallets to this service and use them as a "crypto portfolio tracker".

As far as I understand, the danger is that hackers could take advantage of the fact that CS has allegedly published the list of affected coin addresses publicly (really smart ), and in combination with some other data, this could enable scammers to contact "victims" and offer help.

It seems that the information from different articles is somewhat contradictory.

The portfolio manager states on its website that since it “asks for read-only access” to connected crypto wallets, users’ holdings remain “perfectly safe under any conditions.”

The platform offers users the ability to connect all their crypto wallets and use it as an overall crypto portfolio tracker, allowing them to view all their wallets in one place.

[Zed0X]

There was another app back in the day that does a similar thing it was called Blockfolio and, if I'm not mistaken, was also breached. If I also remember correctly, some users also granted the app the permission to trade.

[hugeblack]

As far as I understand, the danger is that hackers could take advantage of the fact that CS has allegedly published the list of affected coin addresses publicly (really smart ), and in combination with some other data, this could enable scammers to contact "victims" and offer help.

In above source there is a different story, it is a system message hack that leads to a phishing link.

On June 22, CoinStats, a popular crypto portfolio tracking platform, announced a security breach affecting some of its iOS users who received a scam notification claiming a reward.


This notification directed users to log into the CoinStats AirScout wallet, leading them to a malicious website. CoinStats revealed that the breach specifically targeted wallets created within their app.

[/size]

There was another app back in the day that does a similar thing it was called Blockfolio and, if I'm not mistaken, was also breached. If I also remember correctly, some users also granted the app the permission to trade.

Blockfolio was a strong competitor to CoinStats (before it was acquired by FTX,) but that hacking was not relating to databases and user data, but rather access Blockfolio’s messaging system and sending annoying messages

[ABCbits]

I stopped using CoinStats in 2021, and it is unfortunate that the company’s servers were hacked, but I do not think you can create wallets using CoinStats.

Maybe it was in past. If you visit https://play.google.com/store/apps/details?id=com.coinstats.crypto.portfolio, it state wallet and even swap feature. Their choice isn't surprising though since some user don't want to install and use too many apps.

I couldn't open the link from OP because it was blocked with a CF captcha, so I looked for another source of news

--snip--

That's weird since i can access the link even though i use VPN. Anyway, you could try access the archived version on https://web.archive.org/web/20240623073010/https://beincrypto.com/coinstats-security-breach-crypto-wallets-hacked/.

[Stompix]

It seems that the information from different articles is somewhat contradictory.

The portfolio manager states on its website that since it “asks for read-only access” to connected crypto wallets, users’ holdings remain “perfectly safe under any conditions.”

The platform offers users the ability to connect all their crypto wallets and use it as an overall crypto portfolio tracker, allowing them to view all their wallets in one place.

Well, it's not like their statement isn't also:

1. None of the connected wallets and CEXes were impacted.
2. Thanks to the immediate incident reponse from the CoinStats team, only 1.3% of all CoinStats Wallets were affected, totaling 1,590 wallets.

None of the connected wallets, what are those wallets?
They are into full damage control but they don't even know how this "hack" happened and what vulnerability in their app could have triggered this whole mess, a hack that basically took over everything in their app.
Speaking of damage control:

https://coinstats.app/
"The page is done" message is....

[TomPluz]

There was another app back in the day that does a similar thing it was called Blockfolio and, if I'm not mistaken, was also breached. If I also remember correctly, some users also granted the app the permission to trade.

I am sure many people involved with cryptocurrency will be wary to be using similar services because of the enormous hacking risks that can befall anyone resulting into unexpected losses. I am sure that CoinStats should be doing something to refund the wallets affected as this is totally not on the fault of the users. One of the biggest reasons why there will always be people who will not go into the cryptocurrency industry is the risk of hack, not to mention the steady supply of scams and frauds affecting so many people. There must be a solid solution to these problems, otherwise this can be a very obvious Achilles' heel of the industry.

[Lucius]

@Stompix, I would call it ordinary amateurism and nothing more. They obviously don't know what happened to them, they give contradictory statements, and in all of this their users are obviously the most confused.

I have never had the need to connect my wallets to anything, but some people obviously have such a huge crypto portfolio that they have no other choice. I always thought that in this way they only threaten their privacy, but do some people use their seed/private keys when we talk about connecting wallets? It would not be at all surprising if there were such cases...