Yep. It happened to me. We all know to be careful with API keys.
I already knew this, and thought I had taken precautions to make sure this wouldn't happen. But, for convenience (not so convenient now), in programming a tool for managing crypto portfolios, I stored my API keys in a file in the project folder. I made sure it would be ignored when I posted my code, but when I created the repository to host the code, it provided it's own .gitignore, overwriting the one I made. Then it happened.
I posted the code at 10pm and by 2am a BTC withdrawal was made on my account and by 6am all the ETH was gone too. Github helps make it easier for thieves with their Search API. Luckily they left me with $3.70 USD left :(. I have my portfolio on my pebble watch so I knew something was wrong when I woke up. However, it wasn't until manually scraping through all the transaction history that I thought to check my repo, and to my horror, the file with my keys was up. They were scooped up and exploited and within 8 hours they cleaned me out. A new bitcoin wallet was created to transfer the funds and a $200 expedite fee was paid to get the transaction in the block as fast as possible.
I'm posting the stolen transactions (since blockchain makes everything public) for posterity.
Here is a list of the transactions:
- 0.09772308 BTC transaction hash: acc088ba5083f620bb22332bbe637967b3aa7375441f85b3c868980cf9cff9e4
- 0.54054114 ETH transaction 1 hash: 241bd9eaa7ed02f8a7ffce0e79375a4a3e3813a0dc0616c10946e623983118d6
- 2 ETH transaction 2 hash: e73c315ff6c5b8b6d88f3273e835515771884aa7afb5de1cd613a241a0b8d965
- 0.92 ETH transaction 3 hash: b5d30b9c360a1999abe8b4bb2f0a8c5b40039fe56fd936527bedd4c9e7804fbd
Ideas for prevention
Besides the obvious "don't post your api keys"
- Exchanges could scan for public keys and disable them
- Use this git hook I wrote: Git Hook API Key
- Lower permissions on api keys (don't allow withdrawal permissions)