Hackers have cleaned out around $103,000 worth of Bitcoin from accounts protected with passwords, instead of the the long cryptographic keys normally required.
This is according to a report on Ars Technica, citing a recently published research paper titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets”.
Called “brain wallets”, security experts had long warned that the alternative security measure is a bad idea and should not be used.
Brain wallet passwords do not use a cryptographic salt and are passed through a single iteration of the SHA–256 hashing function.
A form of these insecurely hashed passwords are also stored in the Bitcoin blockchain, giving hackers everything they need to compromise the accounts.
The paper tracked attacks over a six year period, and found that hackers had cracked the passwords of 884 brain wallets, taking 1,806 Bitcoins.
“In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value,” the researchers said.
“Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”