Well, that sucks. Literally switched three days ago ๐ Yikes.
Bad actors man! What a shame. But I guess exposing vulnerabilities is a good thing when you have 1000 sats instead of a lot more.
Hi folks we've been experiencing some disruptions over the past couple days as we've been working to mitigate against an attacker who found and exploited a vulnerability in our system that allowed them to get password reset codes for accounts that didn't belong to them.
Using this exploit they were able to gain access to a number of accounts that they shouldn't have had access to and withdraw funds.
We've patched the issue and believe we've revoked the attacker's access to the compromised accounts by invalidating their JWT authentication tokens and NWC secrets.
We've instituted system-wide withdrawal limits as a precautionary measure while we work to fully restore and migrate the payment records of affected accounts.
If you are seeing a blank screen when you visit the Coinos site, you may need to visit https://coinos.io/logout or clear your browser cache. If you have Coinos installed as a PWA you may need to uninstall it and re-add it to your homescreen.
About 80 accounts had their passwords reset by the attacker but only a handful were actively stolen from. If your account was compromised you may be missing some recent transactions. We do have backups and will be writing scripts to find and restore those payment records over the coming days.
If you were using Coinos via NWC your NWC connection string secret may have changed in which case you will need to re-connect Coinos to your Nostr apps.
We'll be reverting unsolicited withdrawals and covering all losses ourselves to make all our users whole. Thankfully we caught the attack relatively quickly and managed to take corrective action before the attacker had time to fully drain our wallets.
Coinos is essentially a volunteer effort and one-man show on the tech front so please be patient as it's going to take me a few days to restore everything back to normal.
This incident has not shaken my resolve, only strengthened it.
Sincerely,
Adam Soltys
Discussion
So t seems like this is just gonna be a juggle game. I switched from minibits to coinos because it was being buggy. I guess maybe a rotation approach is best ? ๐
It sucks though cos I literally left my bio blank for months allowing space for redefining how I wanna show up. I literally just wrote a new one, did not save it anywhere and setting up coinos it reset it, had it disappewr, stole it from me me ๐ I wonder if it can be restored in their repair and restoration process with this hack attack.
CoinOS and the team are great. Reach out to them here or on telegram. They wil get you squared away.
Sweet. You have their telegram? I kind of don't wanna bother them right now in the middle of damage control but can reach out in a few for sure.
They are also personally repaying out of their own pocket to make everyone whole that was affected.
That's really honorable of them to do. Hopefully that wasn't a lot of funds. And hopefully helps to strengthen the system. I am not sure if my account got anything stolen or if they have restored it. Looks to have transactions in it. I've only got less than 2k sats of zaps since I signed up on the 28th I think it was.
Very few were affected. And if you can access your account and nothing is gone you are fine. The attackers reset some passwords which would mean you wouldnโt be able to log in if your account was targeted.
sats on ecash mints or custodial services
COUNT ALWAYS AS LOST !
at least for now
Is coinos considered custodial?
Try not to miss label confuse by opinions here nostr:npub1q46m7q7zv8qe2zqffhhjnj558fdtzjxy7akr0x9ytwa3zc4zhpus0m8rmu I get what you are saying. But if the sats are in her wallet they are not gone.
Yes, it is custodial. They are managed by a company so there is risk. But they are NOT lost.
No. I get what he is saying. Isn't that where the saying "not your keys not your coins" or something comes from? I think my brain is just turning on about the custodial aspect, I am just waking up and drinking my coffee.
This is the risk using any bitcoin software or any software really.