The 2018 Cryptocurrency Exchange Breach
A major cryptocurrency exchange lost \$30 million due to missing security headers. Attackers exploited:
- No CSP allowed malicious script injection
- Missing X-Frame-Options enabled clickjacking
- Absent HSTS permitted SSL stripping
Attack Timeline
Day 1: Reconnaissance
Attackers scanned for missing security headers
Day 3: Exploitation
XSS payload delivered via missing CSP
Day 5: Attack Execution
Stolen credentials via clickjacking
Header Analysis of Breached Sites
| Header | % of Breached Sites Missing | Attack Vector Enabled |
|---|---|---|
| Content-Security-Policy | 92% | XSS, code injection |
| X-Frame-Options | 85% | Clickjacking |
| Strict-Transport-Security | 78% | SSL stripping |