Social Media has been alive with the sound of security buffs ridiculing cryptocurrency trading platform, Enigma, for a purported hack that cost prospective customers approximately $500,000 in Ethereum.
Apparently, the breach occurred when hackers gained access to the company’s website, Slack channel and certain email lists. They then set up a fake website, sending emails which tricked some investors into sending funds in Ethereum.
However, a Reddit user is claiming this was not a sophisticated hack but some basic security failures by Enigmas CEO, Guy Zyskind.
How to get information security wrong
No mystery here.
It appears that some basic research revealed that Zyskind’s account was hacked, he used the same password for multiple sites and had administrator rights to the company’s website and Slack.
On top of which his details were on a recently hacked database (easily found), following which he never changed his password. In fact, the reporter claims it is still in use on another platform where no 2-factor authentication is enabled.
Hackers then used his compromised Google account to send emails to all his contacts. Hackers now have a list of email addresses for future phishing attacks.
All rather embarrassing for a self-acclaimed security expert and rather ironic that they chose the name Enigma, which was, as another Reddit user commented a failed crypto machine.
Lessons learned from other’s mistakes
- Put in place a strong password policy and make sure all staff, even the CEO, understand and comply
- Deploy two-factor authentication
- Do not practice “do as I say not as I do”
- Do not purport to be something you are not
- Choose your company name wisely
But, on a more serious note, if you are concerned with offering your stakeholders assurances about protecting your IP, your profits and their data then look to build an Information Security Management System that can be independently certified to an international standard such as ISO 27001:2013.
Going through this process will ensure you have considered the risks to your business and put all the necessary controls in place.
