Bitcoin Forum

Attention users of primedice!!

I just created a new account with primedice and made a deposit. As I was playing, the BTC got withdrawn all of a sudden. It's either someone from the primedice team or a hacker who got hold of their database. Did anyone face this issue ?

I think the most common source of all account compromises are reusing passwords (and not using password managers in general). Was your password you used unique to the site? Or something someone could look up on leakedsource.com

the password is definitely unique to this site.

Did you contact their support? you know there are IP records for withdraw and deposits as well for registering and if you are telling the truth then it should be easy to investigate, you should also move this thread to gambling discussion. a few screen shots of deposit page and withdraw page is good as well.

there can be many possibilites why
most common are:
1.low password difficulty,some passwords can be bruteforced in under 1 hour
2.your machine is infected
3.you clicked links in chat or downloaded a script,"hash cracker" or a "100% winning script"
4.you gave your API to somebody else

it is not the first time I hear stories like that,coins just disappear from accounts
in 99.999% of the cases it is the user who is at fault
also if you bet high amounts of money,use 2fa
maybe you can check the tx and trace the thief,ask support for his ip hash and session details...but I doubt you will get your money back

Even if an attacker did get their hands on Primedice's database, they wouldn't have access to your credentials. That assumes that Primedice properly stores user credentials and you used a strong password, of course.

Apart from what RHavar already offered, another possibility to consider is that your entire computer may be compromised by malware. Malware specifically targeting Bitcoin gambling sites is not unheard of and if that is indeed the case it doesn't matter how unique your password is. In your shoes my first step would be to ensure that your computer is trustworthy.

I use a linux machine and I'm a developer myself. So, its highly unlikely that my machine is compromised. The password is quite strong. Are you sure its easy to investigate ? I've contacted their support already. Hoping to hear from them sooner than later.

I'm using PrimeDice almost since their beginning and I have never had such issues. Once I wasn't visiting the site for 3 months and when I logged in afterwards my money were still on my balance there. I've heard stories about people losing access to their accounts, but I have never heard that money were disappearing when someone was playing on the site. Is it even possible to log in to PrimeDice from different places simultaneously?

You know... Why if it's not?

I mean it happened to me aswell and ONLY on PD.
I'm not accusing them of course because I have 0 formal proof.

But neither you have when you say user is at fault.
What if PD is actually taking the funds from time to time, making everyone believe that it's user fault?

Again that's not an accusation! It might have been just me and every user to whom it happened that had a technical issue or a virus or... Something.

But in the same way it could have been PD ^^
The only thing I know is that I stopped playing here and it never happened anywhere else...

Same here (though I'm not a developper ^^)
If my machine is compromised... Well that's a poor virus because it infected ONLY PD

Someone recently lose his Bitcoin too but not in primedice but in rollin.io he was using seuntjie bot then suddenly all his bitcoin was withdrawn to an unknown address. this is the link where he opened that topic. https://bitcointalk.org/index.php?topic=307425.1780

My guess is malware since both the person just created an account in the dice site and passwords are both unique. Or try to check your emails they might have an access to your email because sometimes in bitcoin world we only use 1 email address.

I think Seuntjie bot site was compromised today and i hope it is recovered now.
To the OP prime dice is not compromised but you might have used an infected script .Sorry to hear about your loss.

No scripts used whatsoever!!

Just got a reply from their team saying that there is nothing they can do about it. If multiple users are effected and only on PD, it has to be something with their weak security or a loophole.

Fortunately for me, it was just 55$ but who's to be blamed if someone loses big money ? They were so casual in replying to me saying that my account may have been compromised. How can the account be compromised within 10 minutes of creating it I wonder!! NEVER Primedice again!!

Email me directly, stunna@primedice.com

the only thing i can think of here is your device have some malware or virus to steal your passwords once you typed it, i have a primedice account which i don't use often, maybe i just visit it once or twice a month and my balance there don't just vanished or something, everytime i logged in i can still see my balance in the account, never had any problem.

The exact same thing happened to me, but the blame was put on me. Why?

They said "you shouldn't deposit 10> btc all at once !-!!-!!-!-!-!-!!!-" but why not, if the site claims it's secure? I was using a clean machine and never used any scripts. This happened back in may or something, so I've given up hope that anyone going to give me any attention.

Let's hope you get your money back though.

If I'm not the wrong primedice has provided a 2fa function to secure our accounts so we should use it and if we don't want that account again can delete it easily. If we don't use security functions which site provided then, we can't blame them for our losses in this case.

At first glance Op's case is very similar to this problem https://bitcointalk.org/index.php?topic=1488696.0 (https://bitcointalk.org/index.php?topic=1488696.0)
Someone deposited 13 BTC and the money never showed as PD's balance. AFAIK in the end PrimeDice said it is entirely user's fault too.

done.

Not my first primedice account. Created multiple ones in the last one month. Could've easily been the other accounts too if my computer was infected I suppose.

13BTC is a lot of money. Isn't primedice responsible for investigating this ? Why is this community going so easy on them ?

how much did you lose ? why should we let them go easily if they keep robbing us this way ?

I lost about 0.5btc

and here is a list of the reasons why there is nothing that can really be done:
1/ We got no formal proof. In fact even if I suspect PD I have no idea if they're really guilty. The idea is plausible but I have no evidence of it
2/ PD is the oldest dice site with btc if I remember well. You can't erase that
3/ PD won the trust of bitcoin forum members, and this community is hard to get but once you have it it's impossible to lose it without a HUGE scam proof.
4/ PD is very responsive. That's not the usual scammer behaviour and you can't really expect much more from them. They're innocent until proven guilty

And most important:
5/ It's gambling with btc. We all more or less expect to lose money with gambling so gambling with btc? That's like doubling your chance of losing everything!

If you got proofs I guess we could do something, but even if I find all that a bit shady, I have no evidence whatsoever.

And I don't really see myself accusing Stunna of stealing me without proof xD

Proof ? I've a password unique for this site and strong enough that it would take years to decode using bruteforce. I've a machine that I'm sure is not compromised. I haven't used any scripts. and yet, it took the hacker less than 10 minutes to decode my password ? What other proofs do we need ? I'm convinced it's an insiders job.

That's no proof man ^^
First: you're saying things but not giving objective evidences that those things are true. How can we know that you're speaking the truth here, you might have downloaded a script or used a weak password as far as we know.
Second: it's not because it seems impossible that it is. So saying "it must be that" isn't a proof.

That's where it gets complicated, fact is that we have no solid evidence. But you can start a thread in the scam accusation sections saying that you SUSPECT dubious manipulation. I would back you up and I'm sure I would not be the only one. But the only thing we can do here is saying that things seem... Shady.

No way I'm formally accusing PD of stealing its users. As far as I know, they're innocent until proven guilty. It's just that... I don't see how I lost my 0.5btc if it was not an inside job. I don't see other solution, but that doesn't mean there is none.

That's not a bad idea. I'll wait for Stunna's reply before I start a thread on the Scam Accusation board.

I'm in primedice since 2013, Never happened to me something like that. But chances are multiple

You have a point though and those assumptions would be possible because anytime the house could give an excuse regarding on the situation.I dont have the right to give conclusions but the possibilities are there and same as yours i do believe in such thing that PD is the only one could able to take funds from their users since OP said that hes a programmer and developer and uses strong password and having a clean pc.

They don't necessarily have to be directly involved in a scam to take the blame. It's their duty to protect their users. So, if multiple people are getting rigged only on this site, they are exposed and have a security loophole. They have to take the responsibility and investigate thoroughly and provide the users with a guarantee that something like this wont repeat.

People who are saying that it didn't happen to you since 3-4 years, you never know, you could be next. Till yesterday, I was endorsing PD in my signature and this happens to me.

I'm not blaming them directly i just stated on some possibilities and you got have a point on which PD should take actions on this kind of scenarios because people will surely lost its trust when this thing would still continue in the future.Some people would really say nothing about this matter since they didnt experience it but if the time comes when that lost funds on their account they would probably say the same thing too.

^

When I lost $10k + (currently around 16k aud now) on primedice, I got all the blame placed on me. I find it unfair how every one just blames you when you're the one who lost a huge amount of money. And it's funny how most of the people accusing you of being a fraudster are the carders, spammers, etc, who have probably never seen more than $10. I'm still trying to wrap my head around the fact that I lost 10k due to one single mistake (depositing into a SO called "safe" website.)

That's a lot of money. I feel you ! was your's the same case ? someone stole your BTC ? All the victims of this site, together we could do something about this.

Yep. Deposited, waited for it to show in my balance, never did.Blame was placed on me. I don't think w can do anything about it, it's PrimeDice's miniature army vs us.

You'd have a transaction to show for. wouldn't you ? Am I missing something here ?

No I did, I had all the proof that I deposited, it was my money, where I deposited from, I got people to confirm it, etc. the problem was that the money never showed up in my balance, and the staff/army said that I was infected or someone hacked me which I find incredibly hard to believe under the circumstances.

Are you telling me that you had a confirmed transaction in the blockchain from your wallet address to PD's wallet address ? and they denied the deposit ? Could you share that transaction and a screenshot of your PD account's deposit address ?

It is a lot of money without any doubt and prime dice is the only dice site i rolled for some time now and i have not seen your case talked about in primedice and why is that ? did you start a support ticket regarding that and did you get any reply from the support team regarding the issue.Prime dice will investigate the issue if you provide further information without any doubt and they wont scam anyone and have a good reputation .

After reading through all of this and checking around this has really only happened to you. I don't see why you would be targeted by primedice based on what you've told us so I can only assume your computer has malware. Idk that's really the only way to explain it but even if primedice could prove differently they probably won't. Sorry op. This obviously blows.

There are multiple possibilities of getting your account hacked.What if a keylogger already resides inside your computer and the hacker took this opportunity to move your coins.Too soon to jump to any conclusions.Btw,where were the coins withdrawn to ? You have any info about the associated addresses ?
Wait for Stunnah to get back to you!

We cant really jump into conclusions yet and the best way to be clear up this thing is we should wait for the management to say a thing about this matter.Its really hard to put conclusions specially if we dont have a strong proof and also there are really lots of possibilities that can someone could able to transfer your bitcoins into your account to others wallet when your computer is already compromised.

But why do they use the keylogger ONLY for PD? I mean that's a bit strange, why didn't they stole my other accounts, or even my bank accounts or my credit card data to pay online?

That's strange that it only happens on PD....

He just mentioned the possible thing that happen and it turns out that he installed some keylogger when he tries to play or access his PD account.Its just a possible way that might happen not only on PD but all important informations do you have thats why we should be careful on installing programs on our computer to avoid this kind of being hacked.

That's not I mean.

I mean keylogger thesis is very unlikely because otherwise other data would have leaked. When you get a keylogger they try to steal everything including sensible data like passwords or credit card.

But the only thing I ever lost was 0.5btc in PD. So I don't see how it could have been a keylogger.

only happened to me? There are 3 guys on this thread for whom the same thing happened.

Yes,all informations and strokes that being typed on your keyboard would definitely recorded when theres is a keylogger installed it would really tally all the information and details not only on those accounts but all the important stuff you had.Yes,its very unlikely and  maybe its not a keylogger but its just an inside job or someone do really knows his password.

guessing a password is completely out of question, because PD has a captcha. There's no way you could have bruteforced it in 10 minutes.

Ahh..that never clicked me.Speaking of possibilities,yes it may happen.Hackers are smart enough to study the network flow and access the session tokens somehow but again it is very hard to be brute forced.Let's just wait for Stunnah to reply,chances of this being an inside job are probably more.

Have you opened a support ticket with the site and what is your user name in prime dice,if you could provide the details it could be easily resolved when support staffs comes online and i am hearing about this issue for the first time since i am playing in prime dice for quite some time.

I remember u can login using your api key. Do you share that key?

Nope. never used the key myself. As I said, created the account 10 minutes ago and the money got stolen.

I've emailed Stunnah. I've mailed their support as well. Here is their reply -

https://s24.postimg.org/9u2bm8279/Screenshot_from_2017_01_03_00_19_58.png

OMG Mladen said it looks like your account has been compromised, but you should check logs? Because they can't check it or what?

Did he even checked your account?? It won't be hard for them to see where coins went, right?

Exactly. can they be more careless in replying to user's loss!!

Ahahah
"it seems that your account was compromised"

you can roughly translate it by:
"We have no information will not give you any information and will not investigate any further, your problem not ours"

Just like what happened to me. You get your PD funds withdrawed without any reason and your "compromised" computer ONLY release the PD funds. I don't know what kind of malware can do that and ONLY that...

Did you use 2fa or multi factor login?
honestly i was a gambler before in pd but never experience this problem.. did you check your computer about keyloggers just like other mention here but i did not seen if you scan your linux os or not.. i know linux is high secured os but we are in new generation unlike before..
Look at the android android is a linux based and many malware and viruses from 2015 until now are generating and spreading..
So better to check your machine if it is clean..
We can not also blame pd because they are just giving first solution but if you can provide logs and trace the problem you can give it to them..
Also i don't see what address that actually you said your balance was withdrawn?
Can you share the address or the transaction logs so that we can also review your transaction..

Since a lot of people are asking for wallet address, this is the address PD assigned me - 1QJZeCTLD2CX7VxoN76eYSm9EwZQjpP6vi

Are you using any sort of script?

If you were then then you are almost certainly been scammed. Tons of people using "100% risk free 100% guaranteed profit script" as a bait to get you using their javascript auto withdraw scripts. They tell you that you have to deposit at least 0.1 BTC for it to work, and when you do deposit 0.1 BTC, boom, your balance goes to 0, because the script automatically withdraws the coins to the owner's address!

This is very possible, if the bots were compromised our fund is in danger, I perfer playing by myself, not the bot.

Well I can say honestly it was not Stunna who took your money, they make a lot of money and can't see the point in endangering that by stealing from customers.Do you use a wifi mouse or keyboard they can be compromised very easily

Stop finding every possible reason to blame the person who deposited and get with the fact that maybe it's the fault of the site.

Wow... I don't use Primedice, so I can't say much, but there have been many trusted sites that have turned dirty. Now this could have been a fluke, things happen and can hiccup, but I wouldn't say that sites  (trusted or not) aren't capable of scamming off a user here and there-- who's gonna believe them?

But users can also make up things to give people bad names too. I have seen that happen before.

From what I read, there looks to be three users who have said this has happened to them. This is in a short amount of time of the topic being posted; this can be both fishy or peculiar.

1) How many other people have been cheated by this site and haven't seen this thread yet or

2) Three users grouped together to accuse this.

As you've stated, there's no proof of what happened, and no script was allegedly used. It's really weird, and since I don't know PD nor the users involved, I can't fairly choose a side.

I do hope that if it's a legitimate problem that it could be fixed. Good luck... Just don't blindly trust anyone, cause in the end, you don't know them, and anyone is capable of fooling you.

I also don't like it when a site advertises that it's trusted. It shouldn't need to do that if it really is trusted. How many people in real life do you trust who actually say that? I know I don't.

Lastly, the most important rule: don't deposit/gamble/give what you can't afford to lose.

I haven't used any wireless mouse or keyboard. It's my personal laptop and I haven't connected any external device. If Stunna hasn't taken my money, atleast he should try to find out where it went. It's been almost 2 days and no response from Stunna yet. He asked me to mail him directly but no response whatsoever. That's the commitment he shows towards his users !! So much for a "Most trusted community" I suppose.

48 hours gone and still no reply form Stunna.

Last Active Today on BCT but he wouldn't reply. WTF!!

If PD denied the said lost funds then this thing would be possible on which OP might tried those scripts on which it steals account balance on PD because i cant think of such other thing other than having a malware on the pc but if theres none then the closest possible is the script.imho

No scripts used whatsoever. I'm sure Stunna can investigate that as well. For using a script, I should have used the API key I suppose. I'm new to these dice games and its been all manual till now.

How much did you lose? If it's a rather low amount I wouldn't believe Stunna would take it. He has way better ways of being dishonest if he wants to be.

I'm not saying Stunna took it. I'm sure he wont rob me off 50$ with his reputation at stake. All I'm asking for is an investigation of a potential loophole. I just need answers to where and how my money went. I could very well afford to ignore my loss but it's not just me. It has happened to a lot of guys before and it could happen to a lot of them after this.

It's their casual and irresponsible behavior towards user's loss that annoys me the most.

Do your self a favor and never play at primedice. This happened to me a while back and nothing was ever done about it.

https://bitcointalk.org/index.php?topic=208986.msg13660593#msg13660593 (https://bitcointalk.org/index.php?topic=208986.msg13660593#msg13660593)

Why should we let them off the hook for repetitive mistakes ? If we let go, tomorrow it's another user and another.

People mentioning a lot of ways my machine could have been compromised by malware. It it was a keylogger, that means PD is vulnerable to css attacks. Aren't they responsible for fixing themselves ?

Someone mentioned about leakedsource.com, the passwords there are useless unless you have the salt that they used to create the hash.

Someone mentioned that if you have a wireless mouse or keyboard, you are vulnerable. That's the lamest thing that I've ever heard. No offense but that's lame.

Someone talks about using scripts. I'd try to avoid that here because I myself never used any scripts and can't say if they are compromised.

Someone talks about using 2FA. 2FA gives extra protection to the account but its a huge overhead and you'd expect the site to be safe even without enabling 2FA. Otherwise stop calling yourself as trusted and safe.

I could go on and on. If a user's account is compromised on the site time and again, you should step up and take responsibility than giving out lame replies like what Mladen did in my case. He gave the exact same response for a bug that I've pointed out on their website a couple of weeks ago. Sounded like he copy pastes text to reply to users.

Stunna was quick enough to ask me to email to him directly but no response till now. My bet is he probably wants this cool down itself. But he couldn't be more wrong. I'm taking this as my responsibility to make sure no more new users get robbed like this. After all, they spoiled my new year celebrations by letting a scammer rob my coins!

It's really sad to see this happening with you and I can understand the pain of loosing btc, but I don't think primedice would be compromised. Let's give you benefit of doubt you are legit, what I would suggest is keep trying contact the admin and there's a official thread here of primedice post this there also. Contact the Op there also, they normally respond. And primedice is heavily understaffed, they have often said it, if your claim is legit keep contacting them, normally for their faults they do include a small bonus, hope you get both your money and bonus. Just keep patience.

I still insist,wait for Stunnah's sugar coated reply. ;D

Keylogger is installed in your machine dude and not on the website.However,I doubt that is the case if many players are hacked at the same time.

Lmao.Me too.Ignore the shit posters,their knowledge is beyond time and infinity.

If it was keylogger, trust me, we would be hearing this from a lot of users from a lot of other websites. I myself play on more than 5 dice sites. I should have been robbed there too.

I've emailed Stunna again now asking for an update.

Still no update from Stunna. Should I move this to the Scam Accusations thread in that case ?

Wait for it. I don't think that Stunna will gonna sweep this case under the rug. After couple days without proper response just create another thread is Scam Accusation section.
I would keep this thread in gambling section just for people who (like me) are not checking frequently other sections.

Mailing you daily. Still awaiting a reply.

I saw Stunna asked him mail on 1st Jan and today already 4th Jan. I consider it is already sufficient time given to reply at least first information on what has happened and still how long they need it to investigate. If no reply yet means it is not a good customer support from a reputed site. If they can't manage traffic then should employee someone to handle these issues. It is just my opinion.

Just send stunna a pm, https://bitcointalk.org/index.php?action=profile;u=81292 since he has been online here.

Perhaps, they should look into adding additional information to the transaction log such as including the IP address that initiated a withdrawl. Although, even if you know the attacker's IP address, you won't necessarily know how they were able to access your account. Although, it would help to know if the withdrawl came from your own IP or an attacker's IP address as it could help rule out attacks such as CSRF, etc.

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Makes sense but if you read the thread from page 1,OP is not the only one who faced the problems.At the same point of time,other users claimed that their wallets have been hacked too.OP say's it's an inside job but no jumping to conclusions without Stunnah's side of the story.

Indeed, there's no reason for us to believe this was a fault within our security. If I had to guess, weak password that got cracked or some sort of script/bot. Plenty of users hold much larger balances on primedice without issue (including myself).  

As always I'm happy to investigate this further for you if you provide me as much information as possible beyond just your username via email.

This is a very interesting point that you have raised. Firstly, they shouldn't have let two users login from different locations, especially when a player is actively playing on one IP. Isn't that a big security loop in itself ?

Secondly, no withdrawal window popped up on my account when the hacker was trying to steal my money.

Stunna, I'm sure you can reproduce this above case and please be elegant in accepting the blame for your loopholes than blaming me. I don't have any reason to cry about 55$ when I myself have wagered 100BTC on your site.

What more information do you need other than my username and email ? wouldn't you have all the information about my bets and transactions on your database ? you want my physical address and dob or what ?

how can a weak password be cracked Stunna ? you have a captcha on your website right ? User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

BTW what was your username and password (after you changed it)? As you used a unique password to the site, so it shouldn't matter saying it here. It'll likely help primedice as they can check it against the hashed version in the database, and allow people here help you out by checking it against some combo-list sites to make sure it hasn't been leaked somewhere else

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

You've re-used that username on a handful of different websites including dodgier sites like blackhat forums. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right?

Since it is unique though, you should feel comfortable posting it here.



We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week.

I'm not even sure which username you are referring to. I have multiple accounts with PD. The one that got robbed is definitely not registered with blackhatworld. Please read your emails to get my username and I've PMed you my password. I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

What would you suggest they did? Lock your account?

Because it's not the website's responsibility to make sure the user has good password security. I trust that PD does all it can to secure user's passwords, although it cannot do everything.
It also isn't a loophole, it's logic. If your password is 'password123' people will guess it easily. That's not a problem with PrimeDice, it's a problem with you.

And what about if a user has a dynamic IP? Should they just get locked out of their own account?

If you're telling the truth and it is a completely unique password it won't matter.

and can I know where exactly did you encourage your users to set a strong password ? Nowhere in the signup flow as I recall.

If it's a 100% unique password no longer in play what's the issue with sharing it?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  ;D

You are asking the right questions. Just to the wrong person. You tell me, what should your bank do when you enter an atm pin wrongly for more than 3 times ?

Well if someone is as dumb as setting his password as password123, he deserves to be hacked but unfortunately that's not my password.

May be Stunna can answer how a user can login without a password if he is using dynamic IP. I have no idea how anybody can do it.

A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways.

hah good point.

If you post your password convertekk, I'll refund you for the loss. Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option.





So.. this isn't a unique password? okay.

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. 

Stunna I'm still not sure why after 8(?) months, you're still ignoring the fact that I lost 13 BTC.

I was not infected and I believe that the site security is to be blamed. Why would you allow two IPs to be logged in simultaneously? (And that's assuming I was even "hacked")

How many websites force usage restrictions to one ip address, if we offered that option would you have enabled it considering you did not have 2fa? Further, someone can login via API/Site/Mobile simultaneously. We have measures in place like 2FA which allow you to have the weakest password possible and still not get hacked.

I'm happy this discussion is being had and we're happy to add in more optional security measures, but they will be pointless if users don't want to use them. I still think this is constructive

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

There's a good library for that by dropbox:  https://github.com/dropbox/zxcvbn

I used it for a while, but it ended up making almost no difference. Pretty much every hacked account I saw wasn't hacked through brute forcing (as we had a recaptcha, and logged failed attempts) but was hacked by people using sites like leakedsource.com  Even when people used unique usernames, a nasty trick some scammers were doing was luring people into other mediums (email, skype, etc) so they could see their other usernames to look them up.


Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


I've come to the conclusion that passwords are pretty useless by themselves, unless tied to a bunch of other stuff (probably the easiest being email 2FA).  So what I now do is just not let users pick their own passwords (and force them to use a random securely generated one).

Of course users absolutely hate it, but I figure the users who hate it the most are the same ones who don't use password managers and reuse the same password for every site, and they're the exact people who would otherwise get hacked. I think since doing that, claims of hacked accounts have dropped about 10 fold (although forgot password claims have gone up by a similar amount).

It unfortunately doesn't protect against phishing attacks. Something that 2FA tends to do a better job at preventing :D

Finally!! someone to my rescue!! It's like I'm fighting a war against an army for pointing out potential loopholes on this website. phew!!

I posted my password. May be you should refund my losses and also the other two guys who raised their issues in this thread if you are too considerate about your users' losses. You talk about wasting your time, do you realize how much time of mine did you waste ? Your time is equally valuable just as mine.

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

yep. Also, why are we talking about a bruteforce attack on a login page of a website, isn't that funny ? It's probably the first thing you do when you setup a website - to avoid bruteforce/ddos attacks. The fact that these guys are up and running for more than 3 years, that's pretty disappointing security in place.

How much did you lose?

About $60. but I've always put emphasis more on the site's security than my losses. for which I'm being called a beggar.

Thanks for that library, we might just start forcing some sort of 2FA/email confirmation at the least for larger cashouts.

Hope you get compensated.


Ugh all I want is a partial amount back so I can buy a laptop and be able to actually work again to make back the losses. Seems that won't be happening :/

Fair, the username of his account is widely used on a bunch of other bitcoin websites though. And regarding Robert, that really is terrible but there were no back-end flaws that resulted in that. There are around 1.5 Million primedice accounts right now, a very very very small fraction of a % of users experience these types of issues which could be prevented by enabling 2FA, or using a password manager.

yes, so you please try and login to one of those websites with same password and you tell me if you can crack any of them please.

and this coming from the owner of bustabit! WOW!! speechless! can anybody feel more naked around these websites ?

Okay Stunna, but here's one more thing that I just can't get over.

When my deposit was confirmed, I wasn't credited. So I posted in the chat asking why.

According to the logs, the withdrawal was made at around 6 minutes after my deposit was apparently "credited".

If that's the case why did I not see a single thing in my balance throughout the whole time?

And if it's not too much to ask, could you please give my PM a read?
 
Thank you.

So you are alleging that there is some superbug that will let anyone compromise accounts? I don't know what you're trying to accomplish here. There are other ways you could have been compromised as well such as phishing/scripts/bots.

I don't have much else to add to this, we'll explore tighter requirements or pre-generated passwords but I think this might upset the majority of users.

Just to be very clear, I was only trying to crack their bustabit password (based on information I could find online), I obviously wasn't attempting to crack their other accounts based on the password used at bustabit.  And that risk is now 0, because bustabit doesn't even let users pick their own password.

Damn can I have the same refund or the same investigation Stunna? ^^

Well not sure of when all this happened though... So probably couldn't find the password again.

Anyway it's already good that there is a 2FA for authentication I didn't understand that! It wasn't the case when I lost everything xD
Fact is that there doesn't seem to be someone with full security (unique password + 2FA) who lost his balance. Then I guess it's hard to conclude anything against PD, didn't know 2FA was implemented.

Wasn't there a bug where you were able to modify the value of the password field and choose your own password? It happened a while ago so I assumed it's patched now but eh

And @op I wouldn't be worried if Ryan knew my bank accounts details lol. It'd probably trust him more than it's trust me

I asked you to investigate this issue for me. To try to find out how I got robbed. It's you who took me in the direction of 'weak password, not unique password, anybody can guess it'. Now that you know that's not true, this is another direction - phishing, scripts, bot.

You tell me, did I use scripts ? you'd be able to differentiate between manual betting and a script betting on your website I suppose ? no ?
Phishing ? have you been following my concerns ? the account got hacked in less than 10 minutes.

This story would make for one heck of a blog post I believe.

what do you mean by logging their usernames/passwords then ? Atleast that's a good feature that you have, setting the password for user. Hope you'd take the blame when a user's account gets hacked on your website considering you have set the password for them.

You never know. Ryan's getting robbed by Dudax these days. He might have other ideas with your bank account details. lol.

Truth be told I don't even have a bank account :*

if I could take back the day I deposited I sure as hell wish I bloody could. Can't believe that people like HufflePuff cheat the system and make millions innocently while people like us lose barely a fraction of how much he stole and we get told to suck it up. But I guess it sucks for Stunna as well :/

Stunna will you be on in 8 hours? I'd really like to converse with you about this more deeply.

It might be a good time to close the thread. There doesn't seem to be a single person who used good security practices who has had any problem. Hopefully though it is a useful lesson for everyone to always use a password manager, both for PrimeDice and every other site. I do not believe there are many people on earth who are capable of reliably remembering unique secure passwords for dozens of different websites.

Something like lastpass is free and works in pretty much every platform. There's really no excuse to not use something like it. Obviously sites like PrimeDice will try do their best to protect users even if their password is weak/compromised, but people need to take responsibility to have a secure password and play from a malware-free device (even with 2FA, a compromised device can still screw you)

It's a pain in the ass setting up a password manager, but it really is time well spent. Like for instance, like a month ago 340M accounts details from AdultFriendFinder seem to have been leaked. It was really nice to not have to worry about about the security of any of my other accounts.



Well it's still users responsibility to keep their password safe. If you share it with someone (intentionally or accidentally) then it's your own problem. But if a password was brute forced (which has never even closed to have happened, I would know as all attempts are logged and monitored) then I would happily refund any loses.



Actually it's intentional. The secure password is generated client-side, which allows users to manipulate it (if they're technical and have a good reason to do so). However, even so
I still verify it zxcvbn to make sure it's reasonably secure.

close the thread ? how ? No investigation, no refund. I was forced to enter my password here to prove a point and now he disappears!!

I own the site gamblercity.bid I may blog the rights and wrongs this weekend.Or other people can on the site

Well... What do you expect? You didn't use 2FA even if it was available so...
I didn't know they put this feature online. But if you didn't use all security tools at your disposal you can't really blame the site for it.

I'm considering couple of other sites but I'd love to do that there too.

what percentage of people use 2FA ? all the others who don't use 2FA are insecure too ? The site should enforce 2FA too in that case. What do they do instead ? They let people make deposits even without having a password. Agreed that you want a zero-friction onboarding of users but you have to be highly secure to have something like that. The whole point of having a password less/email less sign up is to decrease overhead. How do they expect users to signup for 2FA when they don't even expect them to set a password ?

Dude it's not that...

It's just that you can't blame them for getting your coins stolen if you haven't used all the security sets they provide!
How could they enforce 2FA use? I mean that wouldn't be logical! They're not babysitters here to protect you, they give you a way to gamble and they gove you a way to do it in a safe environment. If you're too lazy to use the security tools they provide... Well you can't really argue with them afterwards. What's your argument? "You should have obliged me to be less lazy and secure my account!"?

No offense but I'm having difficulty in understanding your arguments. Instead of providing 2FA, why didn't they secure themselves from bruteforce ? Isn't that the right way to go about it when you know more than 90% of your users are not going to use 2FA anyways. You yourself lost some coins there, I'm not sure why you are taking their side though. It kind of beats the whole point of getting them to fix their security.

Put simply: the lack of  pattern monitoring on Primedice servers was this the main reason this attack took place.All servers I have were money or crypto are involved have pattern monitoring installed this would have triggered a lock down on the account

Thanks to you Stunna, My account is now stolen. I'm not sure how to feel about it.  :-\

What's going on here?

Just someone complaining their account was compromised and funds stolen

For some reason I'm not surprised.

How did that happen?

He forced me to share the password on this thread.

:sigh:

(emphasis mine in both quotes)

Also it seems that P@$$w0rd is a suffix you use for many of your password? So pP@$$w0rd means "primedice password"?  If people know a bunch of your other passwords, and then trying to guess your PrimeDice password ... you're not exactly making it hard :D

I really think you owe PrimeDice an apology for this whole thing, and use it as a cheap lesson on the importance of using a password manager  ;D

Do we get the edit history on that comment please ? I'm pretty sure the "after changing it on primedice" was added later. Just like how he changed the words "blatant lies" to "simply untrue"

coming to your own conclusions and asking me to owe an apology for what primedice did to me ? WOW!! Care to explain how you came to that conclusion ?

Comments that are edited after a threshold (5 minutes I think) look like this:

https://imgur.com/a/BOWYt

(that's my post, for testing)

And you can hover over it, to see the edit time.

However, Stunna's was never edited (at least after the threshold)

Before threshold or after threshold. You simply shouldn't force someone to share their passwords on a public forum. He called me a blatant liar after wasting 3 days of time. I had to share it to prove my point right ? Also, that account is not worth a penny to me anymore. So, I wouldn't mind retrieving it. Its just that someone would be misusing that account to get a higher faucet(its currently at 3.2K) and it's Stunna's loss. You could simply reset the hash and share the reset password with me over PM to simply hand over my account to myself instead of playing a blame game.

The real concern was the lost money and his behavior towards a user who loses money on their site. "Share your password, to the public, I'll refund your loss" and then gone. disappears.

I was actually the one who originally asked you to share your password (after you changed it) so we could see if it was a secure password or not (like you claimed).



Your whole thread is about problems in PrimeDice, while in reality it's simply a case of you using a trivially guessable password (to anyone who looked up how you pick passwords on a password leak site).

I'm telling you that I don't use that pattern elsewhere. You keep fighting on his behalf asking me to owe an apology for the money I lost. Why should I go through this mental trauma fighting a hundred guys here for pointing a potential security loophole ?

It really is dangerous  >:( >:( >:(

That password is insanely easy to guess. A machine could probably come up with that password in a few hundred tries.

Do you really think that passwords are brute-forced by hand? You really don't know much about this stuff, do you?

Regardless, did it not come to mind that if you're posting your password in a public place you should change it?

Because Stunna/PD has done nothing wrong. You accusing him of doing such is not fair. You lost the money because your account security was bad - deal with the loss and learn from it in the future.

You are the security loophole. Make a password that isn't stupidly easy for a machine to guess and you will no longer have these problems.

---

Any website you store funds on is dangerous for many reasons. Provided you trust the website and use a strong password this danger can be mitigated.

where are you guys popping from ? Are you the army the other guy who lost his money was referring to ? a password with alphanumerics and symbols is easy to guess for a machine in a few hundred tries ? LOL. arguing with you on this will be an insult to my intelligence.

Any website you store funds on is dangerous ? Please tell me if you own any websites, I'll not even come near to it. I've already added primedice and bustabit to that list but if you have any, please feel free to add that to my list.

If PD is allowing hackers to guess user's passwords using trial and error, isn't that a problem ? Stunna himself accepted that and was willing to enable 2FA for withdrawals. Where does the point of apology come into picture then ?

No, not really. Someone knowing how you pick passwords would have got it in less than 10 tries, or perhaps 26 if they wanted to guess every letter. You can't lock accounts, or ban ips for a handful of tries or it would suffer from a huge false-positive problem and/or be a huge vulnerability (easy to lock other peoples accounts).


This will be my last reply, as it's becoming a waste of time. But honestly, you should start taking some responsibility. It seems you've learnt two good lessons:
a) Don't post an active password in a public spot
b) Use a password manager to pick good password.  A single letter, and a common suffix is insanely guessable.


I hope you don't let this lesson go to waste  :)

You literally changed the word 'Password' to have some well known symbol replacements and added a p at the beginning. It wouldn't surprise me if these sorts of passwords were targeted specifically by some attackers.
A good password with alphanumerics and symbols would look similar to these:

• n<GV8YV/L&$K$[b
• 937/o=92sW/G{5c
• ~(=0,548_"2"/Ga
• kZs75Upu]48j?6q

Notice how none of those passwords follow any sort of structure/pattern? They do not resemble any dictionary words (unlike yours), they do not have any predictable characters in there (unlike yours) and alphanumerics and symbols are scattered randomly in each password (unlike yours).

None that you store funds on for that exact reason.
By storing funds on a website you are literally giving them your money. If they have poor security or get greedy there is absolutely nothing stopping them from running off or losing your money. That is something that could only have been helped by not storing funds on a website. Of course, I do not think that PD or Bustabit have a problem with either of these.

It is. An inherent problem that comes into play with almost every website that uses accounts with passwords.

You are trying to frame Stunna/PD for a problem that isn't their fault. It's disrespectful at best, and deserves an apology.
Not that anyone here should expect one from you; you seem too deluded by your own faulty logic to realize you have done anything wrong.

---

I suggest that you try to understand this; he is absolutely correct.

You know what guys, I don't want to waste any time of mine as well.

Stunna, you refund my losses as you have mentioned, and make your website a little more secure possibly for the sake of your users and your own good. We are done.

Good to know, apologies for your loss.

If you want to prevent people from replying to the topic you can press the 'Lock Topic' link in the bottom left hand corner of the page. I suggest you do this, else it will likely continue to be brought up.

When using any site that handles bitcoin like mine you have the chance to lock a bitcoin address for withdrawals and you need to confirm it by email your sent

I'll just wait for Stunna's reply and resolution before locking the topic.

one among lot of other ways to protect the user. But, that is, if they have the intent to protect their users at all.

Just as a test and never touched the account but it took me 12 minutes to brute force a btcpop.co account (it had no 2fa engaged)

There is no denying that passwords can be bruteforced and if you managed to do so then the password you used must have been weak.
 Would you be able to crack some of these passwords?

Anyway I don't see that this discussion is leading us somewhere. Stunna claims that this case has nothing to do with PD's security.
convertekk says something competently different - we reached a stalemate here.

Three things here-

-When a user is playing with one ip address, its highly unlikely that he'd login to another ip at the same time. A possible 10 minute delay check between login to login would have prevented this from happening.
- If a user enters wrong passwords for more than, say 5 times, his account should have been locked for the next 10 or 15 minutes and the user should be notified over email stating that the login attempt from the particular ip failed. Even bitcointalk.org does that. Locking the account after 5 wrong attempts would definitely not result in false positives as Ryan was stating.
- Protect your site from DDOS and Bruteforce attacks. That's a must.

Still nothing to do with security ?

ouch sorry to hear that :(

Stunna has promised to refund my losses and fix the issues on their website. Marking this as resolved and will lock this thread in a couple of hours. A lot of people have contributed to this thread. Thanks.

Looks like Stunna will probably never reply to me again.

Oh well. Atleast you get your funds back. Nice one mate  :)