coincube was hacked. It looks like a disgruntled ex-employee stole the code and database and used the API keys sell user's holdings at a loss. The admin in the Telegraph group reports that only he and one other user were affected.
If you are Coincube user you should cancel your API keys on your exchanges. Note that several exchanges including Bittrex and Poloniex support IP whitelisting the IP addresses used by Coincube bot are 22.214.171.124, 126.96.36.199, and 188.8.131.52* .
Coincube are still operating and will review their operational security and technical implementation going forwards. Their admin Robert Allen has given great support during this incident.
What should we expect?
- need to identify Trading Bot and non-trading bot transactions in their UI so users can verify they were not affected by this hack.
- publish instructions and IPs in their UI so that users can whitelist the trading bot
- to review operational security
- to review technical security
Ideally decrypted API keys should only be held in memory. It appears that the encryption key was stored in source code or was otherwise accessible to trusted employees. It would be preferable to store the encryption key in a separate system to which trusted users to do have access such as a Hardware Security Module or perhaps, in a cloudy deployment a separate server.