Bitcoin startup Purse said today that 10.235 BTC (roughly $2,500) in customer funds were stolen over the weekend during a security incident.

Eleven customers had their accounts emptied, according to Purse representatives, who reported they had covered the bitcoins withdrawn with company funds.

Claims that funds were stolen first emerged over the weekend, with customers reporting that they had received emails about password resets and withdrawals. Purse.io’s website was later taken offline for several hours.

The bitcoin-focused e-commerce company said on 11th October that it believed one of its email service providers had been compromised. At the time, the company said that “all funds are secure”.

CEO Andrew Lee told CoinDesk that funds controlled by the company were temporarily moved into an offline wallet following the shutdown, including its profit accounts, while the team began investigating the thefts.

“We actively monitor our customer liabilities against the funds we control. During our downtime, we determined funds we control exceeded customer liabilities [and] the unauthorized withdrawals (10.235 BTC) implying user funds were secure,” he said in an email. “Profit from one to two days was used to reimburse the withdrawals.”

Lee added that Purse “will publish technical details of the attack in the coming days”. He also denied reports that funds were stolen from accounts with active two-factor authentication (2FA).

“No accounts with 2FA enabled before the attack were affected. Reports of accounts with 2FA being compromised are not accurate. Some users enabled 2FA after they received reset password emails,” he said.

Theft image via Shutterstock