Erik Voorhees' exchange ShapeShift has been hacked and lost an unspecified portion of funds from its hot wallet. They have taken down their website and are rebuilding part of their infrastructure to fix it, they say. They claim that no customer funds have been lost but they do say "a handful" of people have to contact them to get their money back.
Here's their official message:
Here's their official message:
Customers who had pending orders have to contact them to get funds back, hopefully they will get them back. Guarantees are being stated by them on their site that ShapeShift usually does not hold any coins of customers, only when the order is pending do they hold customer funds. If the system was setup properly (which we don't know since they are rewriting it all) that would mean customer funds can't be at risk since they are use a loginless instant-transaction setup.
They are not specific about how much money was stolen from them, and when their security was weak enough to require a whole re-write, one must wonder about other issues on there. So don't trust anybody out there in this industry.
Editor's note: An earlier version of this article contained implications that ShapeShift was custodian for more customer funds than it really is. Most transactions with customers are done within 0-20 minutes and customers do not store their funds on ShapeShift. Therefore, ShapeShift is a middleman/custodian of the funds that are used in pending orders, but those only last for up to 20 minutes. Thus the funds at risk are relatively low if the system is running properly like this.
They are not specific about how much money was stolen from them, and when their security was weak enough to require a whole re-write, one must wonder about other issues on there. So don't trust anybody out there in this industry.
Editor's note: An earlier version of this article contained implications that ShapeShift was custodian for more customer funds than it really is. Most transactions with customers are done within 0-20 minutes and customers do not store their funds on ShapeShift. Therefore, ShapeShift is a middleman/custodian of the funds that are used in pending orders, but those only last for up to 20 minutes. Thus the funds at risk are relatively low if the system is running properly like this.