Bitcoin Forum

Just in case anyone missed the past few day's of downtime.  Change your passwords!  And secret question if you use it.  Everyone I think should have gotten email saying this as well.

I also should have said this earlier but I suggest all to stake a btc address - https://bitcointalk.org/index.php?topic=1068013.msg11448313#msg11448313

I for one did not realize how much I would miss this forum.  Great to have it back up!


All accounts should have received this email a day or two ago:


You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
 - Email address
 - Password hash
 - Last-used IP address and registration IP address
 - Secret question and a basic (not brute-force-resistant) hash of your
 secret answer
 - Various settings

You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".

If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.

Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.

While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.

I apologize for the inconvenience and for any trouble that this may cause.

never used a secret question, well i did use it at the beginning then i removed it, not needed i think, i received an email with this exact text information, but the forum was down at that moment

besides the password if they stole you the others info, it's not a big deal i suppose, especially with dynamic ip and if you used a trash email for your registration

The IP is kinda a pain.  I need to have a time when I can release and renew on my router a few times to try to get a new IP.   

That is a good point if you have the ability to change your IP it is also a good idea to do so. 

Yeah I never bothered with the secret question either, I'd have probably forgotten what it was by now anyway (writing it down kind of defeats the point of it being secret ;)).
Already changed my password just in case, not really fussed about my email as it's a throwaway used to register this account.

Was only the password hash leaked? What are the chances of someone finding a password once its been hashed with sha256crypt 7500 rounds? Wouldn't they be limited to dictionary attacks?

i have never received the email.

but now i changed my password and secret question. the previous password was strong and only were used here so i am not worried i changed it to a newer and stronger one.

and the email i used here is already receiving spam, but it is a shame that all Email addresses was compromised :(

The forum had been down several days, there were some posts on the web about it.  The site owner had taken the forum down several time to investigate the issue.
Did the email reach your spam folder by any chance? :)

Just Now received the same email from bitcointalk.
Thanks theymos for Informing us about this issue,

I regularly change my passwords for all my accounts on all the sites I register as a rule any way, so it's not such a big deal.

It's the accounts with the short passwords and the ones where people rarely change passwords, where the trouble starts.

Nothing is bulletproof, but you have to mix things up to make it more difficult.  >:(

Hope this is the end to all of these hacks... kudo's for everyone involved in the restoration of the forum.  ;D

thanks for the information . i have recently changed my password .
it was a ache all over to know that the site is down . but happy to know its back up again.

I changed my password, it's the first thing I did when I logged in just now, I didn't read the email but I was following what was happening through bitcointalk twitter and I read there that password hashes were compromised.

I never used a secret question so there was nothing to be changed there. Do one has to change his email also? I didn't change it because if it was already leaked then nothing can be done now and all you have to do is deal with extra spam that will probably come there.

I suggest reading theymos post: https://bitcointalk.org/index.php?topic=1067985.0

It depends on length of password, and what was taken.   And things such as IP i would not guess are to long.  So it's hard to say.   I hope nothing comes out as far as info but guess we will see over time.

I think it's quite weird that you can change your email address without first accepting the change via an email sent to the old email address. The hacker can change everything this way.

Confirming every important profile change via an email sent to the main email address is normal nearly everywhere, but here not.  :-\

I ain't receiving any spam email like the others here do. I only receive quoted replies to my posts and that is all fine by me. Also, I once considered putting a secret question to my account but changed my mind after I learned that having one would make your account more vulnerable to hacking attempts instead of having a second layer of protection for your account. Well in any case, I changed my password now. It's been a year or so since I last changed it, and luckily my account isn't compromised in any way.

Also Highly Suggest to Stake a BTC address only you have access to.  You do it over in Meta - https://bitcointalk.org/index.php?topic=996318.0

It needs to be a btc address you can sign a message with.  You ask someone else to quote the address that way if you are ever hacked 100 percent and lose access it would allow you to get your account back. 

Done, thank you guys

thanks for this info , unfortunately I use the former password on a lot of sites. I hope the attacker does not sell this information to other attackers

After today I highly suggest stopping using that password.  I don't think we know if they have entire database.  But it is looking bad after today in meta.

Best is just to stop using it/change everywhere and if they sell it or try to use it you have rendered it useless.

looks like some signatures doesn't match and are leading to pishing sites.

So better type bitcointalk address before changing password than clicking in the link in email

Ok will do this for sure to prevent my account from hi- jacking

Still highly reccomend all that care about their account stake a bitcoin address: You do it over in Meta - https://bitcointalk.org/index.php?topic=996318.0

It needs to be a btc address you can sign a message with.  You ask someone else to quote the address that way if you are ever hacked 100 percent and lose access it would allow you to get your account back. 

With recent event's this is a very very good thing to have.

Never recieved this message. But it does tell you in the news of this site to change your password.

This thread has about lived it's life.  In a day or two I will lock it as it was only really for the day's after the forum attack.

If you have not I highly suggest looking into staking a address still.  It is a smart thing to do and really does not take long.

I noticed the site was down for a few days but did not check my e-mail about the need to change my password
Good to see it hasn't been hacked yet
Done and done thanks

I also suggest that WE somehow suggest a 3rd method to send a PGP encrypted mail to a central email address, with a key phrase. When your account is compromised, you could just ask the Mod or that person to open that message with your key, to show proof that it's your account.

The email cannot be opened without the key. I know Protonmail provides a option where you send encrypted email to any person, and they can only open it, with the decryption password. It redirects you to the Protonmail service to open the email.

This is good for now, but people change Bitcoin addresses and the hacker can wipe threads and possibly backups too, if it's not stored offline.

I think it would be clever to make a print screen of your post, just to be safe.  ;)

That is whole reason of having someone else quote your post.  They are the proof.  Chances of your post and their post both changing are very slim.

Obviously keep the btc address stored very safe even a paper wallet would work.  You use it to sign for forum.

As far as suggesting a third way meta would be place to do that.  I don't disagree with PGP being another good option.

I get emails and advised to change the password only and is not to change the secret question

Thanks for reminds, I just change my pass only, I'm not use secret question, that's important to set secret question?

Can you post email? You should change it aswell as it's possible it was taken.

I personally don't like it as it would allow change of password without email.  So if yo have a strong email password or better yet 2fa it really weakens your reset procedure.

Some use it, but I would stake a bitcoin address like I said.  And not use secret question.

well now I've changed the secret question I do not want to take risks I hope that this forum could use 2FA google auth

Last day of thread. Tomorrow it will be locked and let die as most everyone knows about breach.

I suggest staking a btc address if you have not yet.

Locking thread it has lived it's life.  No need for it anymore.

I still STRONGLY suggest staking a BTC address if you have not done it yet.