Many new users who open Bitcoin online accounts with exchanges or online wallet programs do not fully understand the ramifications of the “API Key.” API stands for “Application Programming Interface.” This key allows for programs to interface with your account. For instance, if you have a computer program that makes automatic trades to your account. Even if you have added security to log into your account, such as 2-factor authentication where a second password is sent via text to your smart phone or a hardware key is needed to be plugged into a USB port the API key will bypass this.
One reported case involved someone who created their account without 2-factor authentication because they had not yet made deposits. Once they made deposits they enabled 2-factor authentication. However, someone had already hacked their way into the account and created an API key. They then proceeded to make withdrawals. From the perspective of the exchange operator they cannot tell if is was actual theft or a scheme by the account holder to try to get a refund they do not deserve.
In another case someone had created an API key when they opened their account and forgot about it. Now the key was somehow compromised and it was used to bypass the 2-factor authentication protection they had on their account. It would be prudent for exchange operators to provide extra confirmation steps before an API key is created so the users is better informed of the risks.
