The flaw in question didn't require the thief to obtain the login for the victims - it just required the victims to visit other websites whilst logged into Bitfunder. Unless the 2 raised in that thread are actually old-style key-logged password etc that just happened to occur at the same time as the flaw in Bitfunder was being abused. There were reports of many more than 2 people affected by it. At the time there was no way to prevent it with 2FA (2FA only applied to logging in which didn't make any difference). The way to prevent it was not to visit any unknown links whilst logged into Bitfunder (using a different browser for Bitfunder would also prevent the easiest route for attackers but isn't necessarily totally safe) and logging out of Bitfunder before doing anything else. The problem WAS the result of bad decisions in respect of Bitfunder's design - it accepted POST requests without verifying they originated from a session connected to Bitfunder (so the attacker only had to send the request and it would work if you were logged in - without any need for them to obtain information about your session or even know who you were). Transfers was just the easiest way to abuse it - not the only way. The public assets list for Bitfunder was likely very useful to attackers as well - as it allows them to transfer 1 share then work out how many you have left to know how large a transfer to clear the rest, plus also allows them to see what else you hold they can steal.

Incredibly shocking. BitFunder gets an F for security. IF you've got money in there, get it out NOW... if this is possible, who knows what other huge, gaping security holes there are.

Other exchanges were not better. I won't say more.I was pretty much shocked at the amount of attention paid to security for bitcoin web services. Originally I thought MPEx were absolutely crazy, but now that's actually a pretty good method if you expect your users to jump through the hoops.

This was why transfers require 2-factor as of weeks ago. A cross site post could not magically come up with a 2-factor code.As well as putting some per-page protections in place, and doing some additional checks, you will soon see 2-factor as an option for most other requests.As it stands, BitFunder itself is not "hacked".The system does indeed check for sessions. The user must have had a recent and still active session.-Ukyo