Enigma Hacked Before ICO Date -- CEO Had Not Changed A Compromised Password

Wherever there’s a lot of money to be made cyber thieves are not far behind. Think sharks surrounding a bait ball.

Enigma is a financial data marketplace founded by a team from MIT which is set to launch its Initial Coin Offering (ICO) on September 11, 2017. It has a community of 9,000 users who joined its mailing list, social accounts, and their Slack tool to keep up with its offering and stay up to date after the ICO.

Cyber thieves were temporarily able to compromise the site, its social accounts, take control of the mailing lists and the Slack administrator account. A phony email was sent to the list and some social accounts saying that the presale had started and that funds should be sent to an Etherium address. That address turned out to belong to the hackers. Using this method, the community was bilked of nearly a half million dollars in Etherium token. While most of the community smelled a scam, some of them bit the hook.

Users on Reddit found that Engima CEO Guy Zyskind’s email was accessed by the hacker. His email had been part of a hacking of a different services in the past and had been dumped on the internet, but seemingly Zyskind had not taken the time to change the password. OUCH.

TechCrunch found an alert for the email address on haveibeenpwned.com. Likewise, there was no two-factor authentication or last line of security to keep anyone with the password out. A spokesperson said that “certain team passwords were compromised for the enigma.co landing page and Slack.” No company funds were said to be lost.

Enigma regained control of its site and accounts and posted a letter of what transpired on their web site and Twitter. It also informed the community that official communications would be done through the more secure Telegraph app. Following the hack, Enigma posted a note which still can be found on their site.

That wasn’t a sophisticated caper so it's perplexing how a company organized around a secure cryptographic platform permitted the use of sloppy security with its password measures. According to Wired:

“Enigma said in a statement on Monday that its community fund-raiser, also called a crowd sale, was always set definitively for September 11, and emphasized that its secure servers had not been hacked. But a spokesperson confirmed that the scammers compromised account passwords using various methods.

And in response to the incident, the company says it is adding strong, random passwords and two-factor authentication for each account, plus implementing robust password changing and better system compartmentalization. "We’ve moved up a number of critical security steps and taken additional measures to protect the community going forward," says Tor Bair, Enigma's head of marketing and growth. "We’re now very well aware of the potential threats and are taking no chances."

Stepping the CEO through new-school security awareness training would have prevented this PR debacle.

How weak are your user’s passwords?

Are your user’s passwords…P@ssw0rd? Bad guys are constantly coming out with new ways to hack your network while evading detection.

Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks.

Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords.

KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any fails so that you can take action. This tests against 10 types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus 6 more.