Thunder Terminal Hack Leads to More Than 86 ETH and 439 SOL Drained
Trading platform Thunder Terminal was hacked yesterday, with more than 86 ETH and 439 SOL lost from the protocol, the team announced in a thread on X late on Dec. 27.
According to Thunder Terminal, the attack was due to a vulnerability in third-party database software, which enabled a malicious actor to execute transactions from user accounts. “At 12:11:47 AM UTC, suspicious withdrawals started getting sent through Thunder wallets. A malicious actor got access to a MongoDB connection URL, which they used to pull session tokens and execute withdrawals on behalf of users,” they posted.
MongoDB, a database management firm that helps clients like Adobe, eBay, and the U.K.’s Department for Work and Pensions manage their enormous data repositories, announced on Dec. 18 that a security incident had exposed some customer account metadata and account information. On X, web3 community members responded incredulously to the possibility that Thunder Terminal had not taken steps to mitigate risk from exposure to the Mongo hack. “MongoDB literally got hacked LAST WEEK—how do you not move all data and rotate everything after seeing this headline?” asked Delegate founder 0xfoobar.
“So MongoDB Atlas gets hacked and data leaked on the latest, December 17th. And yall didn’t rotate credentials? Not even once? ‘A malicious actor got access to a MongoDB connection URL’—bro I wanna lmao but this is just embarrassing,” FindMyENS builder aaalex.eth posted on X.
nft now reached out to aaalex.eth to hear more of his thoughts on the platform’s announcements. He suggested that the data lost by MongoDB could contain very sensitive information, enabling hackers to steal from MongoDB’s clients like Thunder. “Thunder claims they were hacked due to an exposed connection url. A connection url is an endpoint allowing you to connect to a database. The problem is, connection urls can make up the database endpoint, plus username, plus password. So it’s extremely sensitive,” he told us.
According to aaalex.eth, when crucial third-party software is attacked, the companies that use it will have been notified—and must respond. “MongoDB Atlas, which is a public cloud MongoDB service, was hacked and customer data was leaked. When this happens, MongoDB, like any other company, will send internal emails to customers outlining the severity of the incident and what they should do to protect themselves. Thunder claims this database was used to hold user session data, including keys to sign transactions on behalf of the customers—so it sounds like [Thunder Terminal] didn’t do their due diligence and change authentication credentials (because their authentication credentials make up the connection url),” he explained.
Aaalex.eth applauded the quick, open response from Thunder. “It should be mentioned that Thunder’s transparency in revealing all of this, no matter how embarrassing it was, should be applauded & appreciated,” he said.
Another way Thunder Terminal may have been left vulnerable is that IP addresses outside its organization were able to access its database. “Even if the MongoDB credentials were compromised, an IP whitelist policy should’ve been in place preventing arbitrary outside access to the DB. The DB should only be accessible internally. We talk a lot about contract security, but infrastructure security matters just as much,” wrote developer 0xCygaar on X.
Thunder Terminal reacted quickly to the attack. “No one’s private keys are compromised. Only 114 wallets out of over 14,000 were affected. Funds are safe going forward. We stopped the attack in <9 minutes,” they posted at 8 pm EST on Dec. 26.
The hacker contested this in an on-chain Input Data Message–and tried to extort the team. “All lies. Also we have all the user data. 50 ETH and we will delete the data,” they wrote.
In its incident report, the Thunder Terminal team committed to fully refunding all affected customers and providing them with $100,000 in credit and 0% fees on their platform.
They said they contacted their legal team and the FBI and are conducting a full security audit. They also announced that they will implement two-factor authentication for withdrawals and increase the security of session issuing on their platform.
The Thunder Terminal website, which the team took offline overnight, remains down as of this writing. Project founder Jackson said the site would go back up later today. “Additional security measures will be put into place before it goes online. Refunds will be issued soon. Deep clean still underway,” he wrote on X.
Security researcher Plumferno told nft now that the lesson to be learned is overcoming the natural human drive to put security fixes off. “It makes me doubt they didn’t know about it and were likely just of the ‘we can fix this later’ mindset. That seems to always be the case with security, it gets pushed to the back burner in favor of more ‘fun’ or visible ways to spend time and money. That, of course, always bites you in the ass, regardless if it’s something like Thunder or Ledger or any rando web3 project not taking proper steps with their security. So many people take shortcuts, and it’s NEVER important until it’s too late,” she said.