The following is a translation of IndieSquare's announcement post.
To begin with, we'd like to extend our apologies to the users of this service
and related persons affected by this incident. We're profoundly sorry that it
took so long for us to resolve this incident and get to the point of resuming
service and for keeping you in the dark.
To briefly recap: on 1 September 2018, an unauthorized party was able to
access the hot wallet in use by Monappy and drained the wallet's Monacoin
balance. In response, to prevent further damage to customer assets and to
perform a root cause analysis, the service was taken offline. Since then, we've
completed improvements to secure the system as well as improvements to the
administrative side of the service, and are pleased to announce that we are
making final preparations to reopen the service on 7 October, 2019.
Going forward, we will be periodically auditing the service and making security
improvements wherever possible, and hope to regain your trust in the process.
As the service reopens, affected users will be fully reimbursed for damages.
Details are below:
Reimbursement amount: 93078.7316 mona
Reimbursed persons: 7735 people
Reimbursement procedure: Once the service reopens, affected persons may login
to their account and be able to withdraw their Monacoin balance as normal.
Service Reopening Details
In order to provide the safest environment for the affected Monappy users to
withdraw their funds, only a subset of users will be able to access Monappy at
first. We will be incrementing this number regularly, so we hope for your
cooperation during this process.
On 7 October, 2019 at 10AM JST, an email from an @monappy.jp email address will
be sent to all existing Monappy users regarding the reopening.
- On login to Monappy, you will be strongly urged to withdraw your funds to a
safer wallet (tl note: an offline wallet on your PC, for example), leaving
only the bare minimum you need in your account (tl note: should you want to
keep using the service).
- Please note, if you make a mistake with the recipient address during the
withdrawal process, due to the nature of blockchain we will be unable to
assist you in this matter. Please double check your address before clicking
- Should there be a rapid increase of traffic or some other unforeseen problem,
we may temporarily suspend the service without notice.
- You may not be able to login to your account if accessing from a different IP
from before. If this turns out to be the case, please email firstname.lastname@example.org.
- For those accounts with significantly large balances, identity verification
may be required.
- We expect all users to be able to start using Monappy in approximately 1-2 weeks.
- We will never ask you for your email address or password on the basis of this
incident via any communication method, including email, phone and postal mail.
- We will never send you any email including an attachment regarding this
incident. Please do not open any if you do receive something like this.
- We will never ask you to input your Monappy account's email address or
password on a domain other than monappy.jp. Please take due caution if you
receive a suspicious email requesting you to do so.
- Should we discover an issue not currently known, we may postpone reopening of
the service to a later date without prior notice.
Events Leading Up to Reopening
In an effort to restore service, IndieSquare has hired a new member who has
experience with cybersecurity and supporting financial systems to the team.
During this process we revised the application's architecture in an endeavor
to improve security, which includes changes to the monitoring system as well.
We intend to introduce changes as needed along the way in an attempt to keep
the service secure.
(tl note: I'm leaving this part untranslated as it's just review of what
architectural changes they made, much of which should be matter-of-fact
knowledge to system administrators. main thing for non-nerds is that there's
more anomaly detection. also, I'm tired.)
In accordance with amendments to the Payment Services Act to go into effect in
April 2020, we intend to remove the service's dependency on a hot wallet. We're
also looking to developing integrations between Monappy and dApps, so that users
can eventually have full control over their private keys.
standard apology and forward looking statement here
The translator of this article can be found on Twitter at @sleepingkyoto.
Please send any corrections that way if needed. The translator is not affiliated