Coinos, a leading bitcoin payment platform, yesterday announced it has resolved a security vulnerability that enabled unauthorized access to a limited number of user accounts.
In a statement, CEO Adam Soltys detailed the incident, the company’s rapid response, and its commitment to reimbursing affected users.
What Happened?
An attacker recently exploited a vulnerability in Coinos’ system to generate password reset codes for accounts without authorization. This allowed the malicious actor to access approximately 80 accounts, with only “a handful” getting stolen from. The breach was detected and mitigated swiftly, with no further risks to user accounts identified. 
Immediate Actions Taken
- Patch Deployed: The vulnerability was promptly patched to prevent further exploitation.
- Access Revoked: All compromised accounts had their JWT authentication tokens and NWC (Nostr Wallet Connect) invalidated.
- Withdrawal Limits: Temporary system-wide withdrawal limits have been instituted as a precaution.
- Fund Recovery: Coinos is covering all losses to ensure users are “made whole,” with unsolicited withdrawals being reverted.
User Support and Restoration Efforts
Affected users may notice missing recent transactions due to ongoing data restoration. Soltys emphasized, “We do have backups and will be writing scripts to find and restore those payment records over the coming days.” Users experiencing technical issues, such as blank screens, are advised to clear browser caches or reinstall the Progressive Web App.
A Message from CEO Adam Soltys
Soltys acknowledged the challenges, stating, “Coinos is essentially a volunteer effort and one-man show on the tech front, so please be patient as it’s going to take me a few days to restore everything back to normal.” He reaffirmed his commitment: “This incident has not shaken my resolve, only strengthened it.”
Looking Ahead
Coinos is prioritizing transparency as it works to rebuild trust. Users are encouraged to monitor official channels for updates and contact support with concerns.
