Finnish Bitcoin startup LocalBitcoins has confirmed that a third party vulnerability led to an unauthorized source to hack its system. LocalBitcoins has since suspended its forum in an attempt to prevent further threats.

The phishing attack first came to light on Reddit (Jan 26), where LocalBitcoins subsequently posted a confirmation on the incident. It said it had identified the cause of the vulnerability to be related to a third party software it was using, which led to a security flaw that the unauthorized source exploited to break in and make several transactions.

It is currently unclear at the time of writing the total number of users affected or how much Bitcoin may have been lost, if any. Cryptoslate said it is not known if wallets were compromised or if any Bitcoin was indeed stolen. Bitcoinist, however, reported that as much as 7.95BTC or around $27,700 might have been taken already.

LocalBitcoins said it was “determining the correct number of users affected” but has confirmed at least six cases. In its Reddit post, it added:

“For security reasons, the forum feature has been disabled until further notice. Outgoing transactions have already been re-enabled and we have taken a number of measures to address this issue and secure the limited number of accounts that might have been at risk.”

LocalBitcoins also reassured users that their accounts are “currently safe to log in and use – we encourage you to enable Two-Factor Authentication, if you have not yet”.

One user was reported by crypto media as saying that when account holders visit the LocalBitcoins website, they are prompted to log in, as if they had been logged out. Logging in then allows the hacker to phish the info needed to hack those accounts.

Another user shared that he might have been a victim after his wallet containing 0.14 BTC ($488) was cleared out.