In Septemer 2013 my company Tealet started to accept bitcoin as payment via the service Coinbase. We have been extremely happy with the result and amazing support we have received from the Bitcoin community.

Since launching our monthly average percentage of revenue in bitcoin is 20% (in the first 5 months of launching we saw 40% revenue in bitcoin). Although we started out by converting all transactions to USD immediately we started to hold onto a minimal account to be used to pay our employees and certain invoices.

Bitcoin and cryptocurrency is so important to our business because we do many international transactions. Convenient services that are available now can cost us to 12% in fees. We recently welcomed our first B2B client that is purchasing his tea wholesale utilizing bitcoin they received in their tea shop. By closing the loop Tealet can reduce payment costs from 15% to 1% from consumer to producer.

Last night I received a transactional email from Coinbase stating that a significant amount of bitcoin (all of the bitcoin in our account) was sent to an unknown address. I knew I did not authorize this payment; we had been hacked. My heart sunk. All the love I have shown for Bitcoin and the encouragement I have given to other merchants to accept it, and this is the karma I get?

Even though our Coinbase account was hacked we still have 1 Bitcoin left (our dog’s name is Bitcoin)

I called our rockstar developer Cody Moniz to see if he knew what was going on. Within 5 seconds he went through our Coinbase account and servers to see that the payment was authorized through Coinbase’s API, but who could have access to the keys?

Our junior developer was frantically searching Coinbase for support and answers on how we could stop the payment (which we learned is impossible due to the nature of bitcoin). He realized that perhaps he could have done something wrong that jeopardized our security. He traced back his steps and realized that without knowing what he was doing he pasted a file which contained all of tealet.com’s passwords onto the internet! He’s sorry to say the least and walking away from this experience a much smarter developer. A hacker accessed this information and found the ease of sending bitcoin payments to their address via Coinbase’s API.

We quickly resolved the security issue by changing all our passwords and API keys. Cody mentioned that we could send a message to the person that took our bitcoin and ask them to send it back. I thought it was a crazy idea, but why not. Utilizing his own address Cody sent a transaction to the address our bitcoin was sent that read:

Hey man, this is the original developer of tealet.com. We’re a small tea startup, and we’re trying bring Bitcoin to the masses. Our new developer did incredibly really stupid and posted our password file to pastebin. We would appreciate it if you could send the bitcoins back to this address. Mahalo!

Within seconds a majority of the bitcoin that was taken was sent back to Cody (all but 1 bitcoin was returned). WTF! It worked, well, kind of.