A string of hacks that targeted Coinbase, the world’s most well-funded Bitcoin wallet, has led to a loss of more than 40 BTC that hit different users of the service.

The main character of this story, reported by The Verge, is Jeff, who lost 10.6 BTC in December of last year (equivalent to around $10,000 at the time). The man, who wanted to keep his last name anonymous, was the victim of a hack and managed to get a refund from Coinbase.

However, a month later, Jeff’s account was attacked for a second time and he lost an additional $7,000, besides his original amount. He was able to save the $7,000, but not the 10.6 BTC, as Coinbase refused to refund him again.

But Jeff is not the only one: there are two other registered thefts that resulted in the loss of $21,000 and more unconfirmed reports at Coinbase’s sub-Reddit.

The problem, as researchers from the security firm FireEye told The Verge, is Coinbase’s API key. “Used to let third-party apps access Coinbase accounts, the right API key will let any program move Bitcoins in and out of a given accounts. Once the key is compromised, attackers can even access linked bank accounts to purchase more Bitcoins. Users are advised not to authorize the API key if they don’t need it“, reads the article.

Meanwhile, Coinbase released a statement regarding the matter. “While we have security measures in place that are even tighter than some online banking sites, there are still steps we as a company can take to make Coinbase accounts even more secure than average”, the company said.

“We’ve implemented a number of increased security measures, including expanded two-factor authentication measures designed to help lessen the likelihood of successful phishing incidents in the future. We’ve also added an email verification step for key actions, such as when an API key is enabled”, the statement adds, recalling that it is important for “all customers to exercise caution when clicking links to financial institutions or payment services online”.