Boussac



Offline



Activity: 1224

Merit: 1015





blockchain.io







LegendaryActivity: 1224Merit: 1015blockchain.io Instawallet claim process April 04, 2013, 04:53:44 PM

Last edit: November 14, 2013, 09:52:42 AM by Boussac #1



I am a co-founder of Paymium, the company behind Instawallet.



We have now finished our analysis of the events that lead to the suspension of the service.

An intruder was able to access the instawallet database. As a result, all "hidden" urls, i.e wallets, have been compromised and are no longer safe to store bitcoins.

Funds were stolen: a

Computer forensic analysis is in progress with independent auditors.

We will be able to refund all instawallet balances up to 50 BTC per wallet.

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.



Important information on claims submission:



1. For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.



2. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded.

If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.



3. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.

The number of such wallets represents less than 0.5% of the number of funded wallets in our records.

In other words, 99.5% of instawallets will be fully refunded.



If you file a claim with Paymium, please do not contact us regarding your claim until the 90-day period has elapsed.

We will need to wait the end of the period to send the refunds as some people might have forgotten about their instawallet and need time to retrieve it.



Thanks for your patience and understanding.



EDIT:

The reason some of you have not seen their payout is simply that they did not approve the proposed payout.

We need discharge from the people we pay out otherwise there is no way to remove the liability from our books.

The discharge is required also because the database might have been tampered with: even though it may be minimal and partial, there is a non zero probability that the proposed amount does not match the expected amount.

Payouts may be approved until the end of the year. Unapproved payouts will be considered as donations after the end of the year.

A sendmany transaction will be sent in January 2014 to those who filed a claim on time but failed to approve their payout so far.

To approve a payout, simply visit your wallet page (do not forget to type https://www.instawallet.org/w/yourwalletsecreturl in full). Thanks for your cooperation in getting these claims resolved. Dear Instawallet users,I am a co-founder of Paymium, the company behind Instawallet.We have now finished our analysis of the events that lead to the suspension of the service.An intruder was able to access the instawallet database. As a result, all "hidden" urls, i.e wallets, have been compromised and are no longer safe to store bitcoins.Funds were stolen: a police report was filed by Paymium with BEFTI ( Brigade dEnquêtes sur les Fraudes aux Technologies de lInformation, a unit of the French "Police Judiciaire") and an investigation is in progress.Computer forensic analysis is in progress with independent auditors.We will be able to refund all instawallet balances up to 50 BTC per wallet.In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.Important information on claims submission:1. For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.2. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded.If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.3. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.The number of such wallets represents less than 0.5% of the number of funded wallets in our records.In other words, 99.5% of instawallets will be fully refunded.If you file a claim with Paymium, please do not contact us regarding your claim until the 90-day period has elapsed.We will need to wait the end of the period to send the refunds as some people might have forgotten about their instawallet and need time to retrieve it.Thanks for your patience and understanding.EDIT:The reason some of you have not seen their payout is simply that they did not approve the proposed payout.We need discharge from the people we pay out otherwise there is no way to remove the liability from our books.The discharge is required also because the database might have been tampered with: even though it may be minimal and partial, there is a non zero probability that the proposed amount does not match the expected amount.Payouts may be approved until the end of the year. Unapproved payouts will be considered as donations after the end of the year.A sendmany transaction will be sent in January 2014 to those who filed a claim on time but failed to approve their payout so far.To approve a payout, simply visit your wallet page (do not forget to typeinstawallet.org/w/yourwalletsecreturl in full). Thanks for your cooperation in getting these claims resolved. Paymium

steelboy



Offline



Activity: 826

Merit: 1000









Hero MemberActivity: 826Merit: 1000 Re: Instawallet claim process April 04, 2013, 05:06:57 PM #5 But the 0.5% of wallets you can't refund in full will contain the majority of the money. How many btc were stolen?

steelboy



Offline



Activity: 826

Merit: 1000









Hero MemberActivity: 826Merit: 1000 Re: Instawallet claim process April 04, 2013, 05:15:07 PM #6 Quote from: steelboy on April 04, 2013, 05:06:57 PM But the 0.5% of wallets you can't refund in full will contain the majority of the money. How many btc were stolen?



Also, what about transactions over 50btc that were sent out of a wallet before the website went offline but did not reach destination? Support was contacted as was Davout on the forum. Surely this must be repaid in full?



Apologies for my shortness, I am obviously worried about my coins. Also, what about transactions over 50btc that were sent out of a wallet before the website went offline but did not reach destination? Support was contacted as was Davout on the forum. Surely this must be repaid in full?Apologies for my shortness, I am obviously worried about my coins.

trout



Offline



Activity: 334

Merit: 250







Sr. MemberActivity: 334Merit: 250 Re: Instawallet claim process April 04, 2013, 05:15:31 PM #7

1) do you still have a database of outgoing transactions that were not broadcast?

For several hours before instawallet went offline, outgoing transactions had not been sent

out. Will you be able to process claims for those? (I'm an unlucky owner of one such wallet,

and it held over 50BTC, so I'm worried)





2) there's an additional way to prove ownership of a wallet: sign a message with keys for addresses that

were used to fund a wallet (not everyone has those keys, but some of us do). This can be useful

if more than 1 claim is submitted for the same wallet.



3) can you say how much funds were stolen?



tvbcof



Offline



Activity: 3318

Merit: 1140







LegendaryActivity: 3318Merit: 1140 Re: Instawallet claim process April 04, 2013, 05:16:40 PM #8 If you could, please state:



1) That the claim infrastructure will be accessible by visiting the URL of the instawallet (if true.)



2) When the infrastructure is in place to make a claim.



3) The type of information needed to make a holding claim. Such as:



- extra contact info such as a bitcointalk.org username of a contact e-mail address if it may be useful in order to resolve conflicting claims.



- a recollection of the recent utilization patterns.



- anything else which may require some thought on the user's part.



From a user perspective, I would like to visit the URL one time and input all the necessary information without needing to halt to do a lot of research, etc.



Thanks.

sig spam anywhere and self-moderated threads on the pol&soc board are for losers.

Joost



Offline



Activity: 68

Merit: 10









MemberActivity: 68Merit: 10 Re: Instawallet claim process April 04, 2013, 05:31:36 PM #10 Quote from: Boussac on April 04, 2013, 04:53:44 PM

An intruder was able to access the instawallet database. As a result, all "hidden" urls, i.e wallets, have been compromised and are no longer safe to store bitcoins.





So, how are they any good to handle the refunds with / base refunds upon? Surely the hacker could just submit all the URL's he found (and copied) straight into the refund process and cash out again? So, how are they any good to handle the refunds with / base refunds upon? Surely the hacker could just submit all the URL's he found (and copied) straight into the refund process and cash out again?

steelboy



Offline



Activity: 826

Merit: 1000









Hero MemberActivity: 826Merit: 1000 Re: Instawallet claim process April 04, 2013, 05:42:44 PM #11 This. What info could we have that the hacker does not?



Also, did the hacker know the balances of each URL or did they have to search each one?

Timbo925



Offline



Activity: 352

Merit: 250









Sr. MemberActivity: 352Merit: 250 Re: Instawallet claim process April 04, 2013, 06:02:54 PM #12

Why would anyone do this... Guess they learned a lesson. Their were people with more than 50BTC on an instawallet?Why would anyone do this... Guess they learned a lesson. Graphic Designer for hire (Ads/Logos/Banners...) 0.25 BTC --> https://bitcointalk.org/index.php?topic=78924.msg878727#msg878727

BTC address: 1TimbojaydbZs1x5ptPVovsb9rATH3JSU jaydbZs1x5ptPVovsb9rATH3JSU

hous



Offline



Activity: 98

Merit: 10







MemberActivity: 98Merit: 10 Re: Instawallet claim process April 04, 2013, 06:05:31 PM #13 steelboy will be a hero member by the time he gets his coins back!!



Have you phoned him steelboy?

trout



Offline



Activity: 334

Merit: 250







Sr. MemberActivity: 334Merit: 250 Re: Instawallet claim process April 04, 2013, 06:43:36 PM #15 Quote from: ghdp on April 04, 2013, 06:33:08 PM Quote from: steelboy on April 04, 2013, 05:42:44 PM This. What info could we have that the hacker does not?



I can name at least one : the IP address(es) from where the wallet were usually accessed. He may know the addresses (if they are stored in the database) but he may have some difficulties submitting the claim from one of them.



I hope (and I think) that Paymium will watch from where the claims are submitted and in case of doubt (TOR exit, known proxy) they will ask for more details from the one who fills the claim.



I can name at least one : the IP address(es) from where the wallet were usually accessed. He may know the addresses (if they are stored in the database) but he may have some difficulties submitting the claim from one of them.I hope (and I think) that Paymium will watch from where the claims are submitted and in case of doubt (TOR exit, known proxy) they will ask for more details from the one who fills the claim. tough luck then for those that were accessing their wallets through tor

SgtSpike



Offline



Activity: 1372

Merit: 1001









LegendaryActivity: 1372Merit: 1001 Re: Instawallet claim process April 04, 2013, 07:14:36 PM #18 Why not more information? You failed to answer some very basic questions that everyone is wondering:

- How much was stolen?

- How much will those with more than 50 BTC be missing when they attempt to make a claim?

- Why aren't you covering the stolen amounts out of your own coffers? It was your site security that failed, not the fault of your users.

- Given that your company is insolvent (obviously, or you would be able to pay everyone back in full), are you not afraid of being sued for the remaining amounts and then being investigated for criminal activity as a result? It is against the law (at least in the US, not sure about European countries) to display favoritism to one creditor vs another when you know the company is insolvent. All account holders should be taking the same haircut and be repaid by the same percentage of their original balance.



FWIW, I have no stake in the game. I am just disappointed in how this is being handled.