Coinkite discloses that they leaked a copy of their user database

Canadian bitcoin startup Coinkite, which recently shuttered their web wallet and launched their new disposable hardware wallet just released a security notice disclosing that they may have leaked a copy of their user database.

They didn’t specify exactly how they may have leaked the database, but that they did while in the process of turning off servers, disabling firewalls, and cleaning up backup systems. It’s possible that a malicious hacker may have been targeting them knowing that their systems were being shuttered, and was able to compromise the database during this window of time.

Here is the security notice in full:

As you know, Coinkite has exited the “Web Wallet” business to focus on hardware. We’re happy to announce that nearly everyone has removed their funds via our withdrawal process.

While we were turning off servers, disabling firewalls and cleaning up backup systems today, we may have leaked a copy of our database. Although passwords into Coinkite.com are not useful anymore, you can rest assured that passwords were salted and SHA256 hashed with 131,072 rounds. If you used the same password on other sites, as a precaution, you may want to consider changing those other accounts. It’s possible you will see spam to your related email addresses.

If you have concerns, please contact support.

Unfortunately, former users of the web wallet will now be susceptible to email phishing scams and the like. The good news though is that as Coinkite stated, the passwords were salted and hashed; however it’s good security practice to not reuse passwords and if you happen to actually do that, and have a password from Coinkite that you use elsewhere, that you change it immediately.