Please note that we have changed the title of this article from the previous one which said Golix had been hacked because Golix reached out and said the platform itself had not been hacked but some of their users had their email accounts compromised which is technically different.
Zimbabwe’s most visible cryptocurrencies exchange, Golix, has been hacked. The exchange disclosed the hack this evening in an email to customers.
According to the email, a limited number of account holders had their accounts accessed by “unsolicited third parties” in the past 3 weeks. The startup blames the hack on poor security practices by its users. Apparently, the hackers compromised users’ email accounts and used that to gain access to their Golix accounts.
Once in, the email says, the hackers converted funds between individual users’ cryptocurrencies and USD wallets, and also bought some cryptocurrencies. They were, however, apparently not able to withdraw funds from the exchange. This implies that users didn’t lose any value. Golix says all the withdrawals that happened did so with “full verification.”
The message does not make it clear if Golix has done a full investigation and determined the exact extent of the breach, so more updates will likely be coming from the startup.
Even though the message indicates that no withdrawal of funds happened, the startup uses the words “without full verification“, and as far as we can tell, this does not rule out malicious withdrawals made to appear verified.
In addition, since some unauthorized buying of cryptocurrencies happened, users could have also lost or gained value from the trading that happened. Cryptocurrencies are highly volatile and any conversion from one currency to another can result in significant changes in the value of one’s portfolio.
Golix used the email to advise its users of some security tips.
Here’s the full message
Please be advised that in the three weeks leading up to the 12th of March 2018we noticed that a limited number of Golix accounts fell victim to unsolicited third party access.
The information gathered so far indicates that this malicious activity was carried out through compromised user email accounts.
As a result of this intrusion, affected users have noticed some changes to their accounts such as the conversion of their cryptocurrencies and/or the acquisition of additional cryptocurrencies through already held US dollar balances.
This issue is a priority for us, as are all matters pertaining to account security.
We have a technical team that has been making changes to our systems and has already put in place measures that prevent the withdrawal of any form of currency from users accounts.
Thanks to these efforts, we have successfully ensured that no funds are withdrawn from any account without full verification.
These measures, however, cannot work in isolation.
For additional security protocols, we encourage you as a Golix account holder to do the following
- Change your Golix account password by clicking on “Forgot password” before you login into your account
- Enable two factor authentication using Google Authenticator on your Golix account
- Change your email password
- Enable two factor authentication on your email account using Google Authenticator or other 2 factor options that are not SMS that may be provided by your email provider
- Do not use the same password for both your email and your Golix account
- If possible, use a password generator to generate the email password for you
- Avoid accessing your internet service over unsecure / untrusted internet services that you do not know are legitimate and verified internet providers
- Avoid using your name, surname, children’s names birthdays and other common attributes as your password
- Avoid accessing your email and Golix account on public internet services like internet cafes
- Do not share your password for any account you have with anyone
- Take note of possible phishing attacks on your email – these are “attacks” that trick you into clicking on links in suspicious emails that come through your account which may lead to loss of private data
- Please safeguard your privacy when it comes to information about your Golix account or how you deal with cryptocurrencies. Be very cautious about sharing unnecessary information about these issues, especially on public forums like WhatsApp and Telegram Groups and on social media.
If you have any challenges with your account please contact us via email or on any of our numbers and social media platforms.
The Golix Team
As far as we know, Golix currently allows users to login without 2-factor authentication (unless this changed today). It also allows users to make purchases of cryptocurrencies without any verification of those internal transactions. Two-factor authentication is however required to make withdrawals from the exchange.
It is generally discouraged to use exchanges to store one’s cryptocurrencies. Traders and investors are encouraged to have their cryptocurrencies on an exchange only when they want to trade them, and afterward, to move them to dedicated wallet services.
Currently, Bitcoin (cryptocurrencies in general) are not regulated in Zimbabwe, which means any customers of Golix that lose their money are not protected by the financial regulations of the country.