Bitcoin Forum

I wish I had never left my money on mybitcoin... Used the same password as my mtgox... Stupid? Yes, very stupid.

I won't divulge the exact amount, but it was pretty substantial as I am one (was one?) of the early adopters. Happened at 10AM this morning, coins went to this address: 1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu

:(

Anyone else in the same boat? Just looking for some people to commiserate with...

I am saw at least one post from user with exactly the same situation. So, at least you are not alone.

Once they make their way to Mt Gox and are sold, ask them to roll back all the trades then work with their liaison at the FBI to recover the bitcoin for you.  Word is they're going to set that precedent so no worries.

P.S.  Sorry man, that sucks.

Part of me feels sorry for you, the other part hates you so much considering all of the warnings lately


well done on making another criminal a lot richer -.-

Good job, not only did you use a weak password for financial data, but you used the same one on multiple sites. AND you had time to change it!

While I don't think you deserved it, it was pretty dumb on your part.

Sorry to hear, unfortunately this has been a very expensive lesson for all of us. All the hacking that's going on is insane. I don't trust anything anymore. I'm setting up an entirely separate computer just for handling bitcoins.

I too have a new, separate, never-networked computer just for creating and encrypting new wallets.  Balance can be checked at Block Explorer.

Damn dude :( I'm sorry.


Makes my stomach drop thinking about how much you lost.



Who said being a scumbag p.o.s didn't pay off? Whoever got your money has a lot of other people's money as well.

You were not the only one. It seems one person cleaned out all of MyBitcoin (at least the accounts that reused passwords) and gained 4k in the process.

4000 BTC or $4000 USD?

Please tell me it wasn't really all of your coins. I can't make out what that address is doing. It looks like it had thousands in it, were they all yours?

Sorry to hear that.

4000BTC. That address it went to is the collection address of all of the stolen Bitcoins - it seems someone wrote a script to automatically logon to all MyBitcoin accounts with known passwords, and withdraw all coins to the same address.

Why this was not caught by MyBitcoin as being potential stealing, is beyond me.

Sorry to hear this.

But people, how many times were you advised on this forum to consider counterparty risks, trust no one, encrypt your wallet and hang on to it?

Leaving 100k USD worth of bitcoins on some amateurish website... I am speechless...

The 4000 bitcoins were not from one account. It seems to have been the total of funds that was collected altogether, from all MyBitcoin accounts that were reusing passwords.

Which again raises the question why. The. Fuck. This. Wasn't. Detected.

My 2BTC are still in mybitcoin acct :)
Very different password thanks to keepassx.org

something like
K*=7}%Z9&t`Pb$QN

I have lost coins in different ways through loans and poker but there were no passwords to crack, just my mind-

I wanted to recommend keepassx as that has simplified the handling of passwords in my life-

You haven't figured it out yet?

90% of the damn sites that use bitcoin were coded by a bunch of chumps that don't know WTF they are doing.

Our head media spokesperson, who supposedly owns a TV studio, can't even figure out how to livestream a webcam or get a skype conference call working. That TV show was terrible. It took they 20 minutes to get the mics working and the camera display stayed on the whole show.

Major wallet and exchange sites have poorly slapped together code by people that have obviously never coded sites that need high security before. The Trade Hill people didn't have answers to basic questions.

The gambling sites look like they were drawn by 3rd graders with crayon and CSS . Some of them don't offer regular rules/odds, others don't calculate bets right, and others are most certainly scams.

The few merchant sites that are up are slapped together storefronts.

Bitcoin got too big, too quick, and every 1st semester CS student or person with an Elance account thought they could throw together a site and get rich off of it. Now the community is paying the price.

All hail the creative destruction of a free market.

But sometimes the free-market will save also... as suddenly those who make good sites are at a competitive advantage.

BRIGHTanarchist,

"If you like, send me a bitcoin!
12MGypxDYSwTU1Q9g2f92Jh4x1PjPJFccn"

Is that your mybitcoin address? I was about to send you a little donation but did not want to fund the criminal either; let me know- Off to work now but will consider it in about 9 hours ;)

fortunately I had no bitcoins on mybitcoin at that time but i did the same stupid password mistake as you did..


regarding address above there were many transactions to and from it coming in short time span-you were not alone:

# Received transactions: 566
# Received BTC: 4 019.42939378
# Sent transactions: 551
# Sent BTC: 4 018.86860129

http://blockexplorer.com/address/1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu (http://blockexplorer.com/address/1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu)]

This is why Bitcoin is wonderful. They don't let people make "real" banking sites with construction paper and paste. It has to be Enterprise and use wish-it-was two-factor (http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx) authentication and star out the username. With Bitcoin, anyone can make a web application that uses money. For free. Even people who are bad at security. The fact that these people got anywhere near money means that Bitcoin is already revolutionary.

+1

If you could make a good site then why not sell stuff for USD? That is why my hopes are for a) remittances (shady/ hugely bloated / noncompetitive industry)   b) poker (illegal in usd) c) drugs (illegal in USD) d) sexcam (paypal won't handle it and it could dramatically reduce the costs of entry for individual providers and cut out gouging middlemen)

For other commerce, bitcoin has wasted rewards on early adopters that could have been shared with adopting merchants (under alternative currency generation rules). On the plus side, further growth in the shady stuff could bootstrap future growth in the legitimate stuff.

My one suggestion for everyone is:


Don't play the game if you can't afford to lose the money.

Much better than a government run monopoly in my opinion.

Feels like Mexico.

Lost 62 BTC to the same address today.

I'd probably be a bit more angry if I wasn't well in the green, and is nothing in comparison to those with 1000+ BTC.

More of an expensive lesson for my own stupidity - all my financial accounts have separate passwords, yet I never took mybitcoin serious enough to give it a separate password.

Same here.  My password was strong (numbers, camelcase letters, symbols, 12 characters), so I struggle believing it was cracked.

It looks like mybitcoin did detect it early on, here's what I got from them:

We suspect that someone cracked a huge selection of passwords (mtgox leaked the salts too), opened up many sessions (one for each cracked user), and then coordinated all of the spends to happen at once.

Most of the spends to that address happened within a few minutes, so we assume they opened the sessions ahead of time.

We were alerted to the attack when our anti DDoS system started blocking IPs rapidly. That usually happens during a brute force attack. What we saw was a massive spending spree. We quickly crippled the site, locked down the accounts that we could get to in time, and the rest are pretty much SOL.

i hope all this stealing stabilizes soon

All the theft here could have been prevented if all the account holders managed to either change the password when you were TOLD TO by pretty much every damn person on the forum/community. We need dumb people to lose all the money and get out of bitcoin altogether if all they are gonna do is act like retards and not do the basic steps to protect oneself. I do not feel sorry for this person at all. Had it been something that occurred prior to Sunday's event then I might, but this is completely inexcusable to me. You completely and utterly deserved this. Even though I do not condone theft, this is more about self preservation and you can't even take care of your own ass.

Just something to keep in mind - the length of the password may be more important than the complexity of it.

"K*=7}%Z9&t`Pb$QN" would be cracked way before something like "Th1sismyDumbP@ssword" (16 vs 20 characters).

It is still important to try and use a unique password for each site (in case it is cracked or some idiot is storing them in plain text), but you do not have to make it overly complex!

Uhh.. not everyone that uses bitcoin tolls over the forums every single day. I visit this forum once  every 2 weeks or so I saw no warning to respond to within 24hrs, I came home from work that day and my shit was gone, that was my "warning".

Having identical passwords is one thing, but do not claim everybody follows the same routine you do. I don't daytrade bitcoin, nor do I use bitcoin rss feeds, or anything like that. I leave my 1.2ghash/s mining and go do other things, and check my bitcoin count every couple weeks.

MtGox sent out emails to everyone about the password. Also if you are remotely interested in the community and Bitcoin then you would have known about the Sunday incident. It was broadcasted on CNBC of all places. I really don't think there is any excuse for this. If there was it would be that you weren't that interested in Bitcoin and it's success in the first place if that news slip by you somehow.

I call bullshit. I'm thinking the same hackers used vulnerabilities to get their hands on mybitcoins entire database just like on mt gox.

buttcoin.org reported:



June 20, 2011 at 10:58 pm

http://forum.bitcoin.org/index.php?topic=20275.0

Bitcoin is the gold rush, the wild west, the dot com era, and the (US) declaration of independence, mixed together with a dash of cyberpunk.  Set your expectations accordingly.

Don't worry. The US government will hunt down they evil theives.

How do I know?

Easy, the US Government Hates Competition.

ugh, so sorry to hear this!! why does anyone keep their coins on an intermediary site?? Seems like the only safe place is on a USB drive, buried under my porch.. Just like my beanie babies.

ugh, so sorry to hear this!! why does anyone keep their coins on an intermediary site?? Seems like the only safe place is on a USB drive, buried under my porch.. Just like my beanie dead babies.



Fixed.

psh, everyone knows dead babies don't gain in value ;)

I didn't receive an email and I can see from the released CSV of accounts that my email is correct.

Anyone who thinks that EVERYONE in the world has the patience and tollerence to monitor these forums on a daily basis, with all the bull shit and meaningless crap and know-it-all views of idiots, is pretty foolish in my opinion.  For every 30 minutes I spend reading posts in this forum, 1 minute is worth while and the other 29 minutes I feel like looking for a tall bridge.

I think it is quite concievable that there are many out there who know of bitcoin, have used bitcoin, but still haven't heard any word of the recent events spanning the past few days.

I don't feel sorry for anyone who didn't change email and/or password. It's not like every bitcoin related site has the hack news posted on it asking you to change your passwords.

Wait, how does this work?  Suppose I move my wallet over to an un-networked computer.  When I do a BTC disbursement from my pool's website, how will my wallet know about it?  Do the funds get put into my wallet the next time my computer goes online?

Look in your spam folder.


It'll be right under the 10 tradehill spam mails.

Your wallet doesn't actually hold any bitcoins. Rather, it's a private key used to sign transactions from the addresses you own. You only need your wallet in order to send bitcoins. You can send all your bitcoins to a bitcoin address belonging to an offline wallet and they'll show up in your client when you finally put that wallet online, after the client catches up with the blockchain. You can also check the balance of the address you sent to via Block Explorer, as mentioned previously in this thread.

Edit:
This whole "wallet" analogy, though intuitive, is proving super-confusing to people when they start trying to dig into the details. It seems like that confusion is starting to have security ramifications. Either we need to embark on a massive education campaign or we need to get some user-friendly security features built into the official client ASAP. Or else put together some sort of easy-to-use Bitcoin-branded tool for people to stand in the gap until such features make it into the official client.

+1

The current sites are more like prototypes of the kinds of services that need to be developed

There are massive opportunities out there right now for people who understand enterprise systems, security, banking, etc

Ahhh, now I get it.  You're right about the wallet analogy. I was mistakenly thinking it was an actual repository for my BTC :)  Thanks for the explanation.

Mine went to that same address, luckily I only had 0.01 BTC in MyBitcoin.

I like to explain it this way:  The block chain is a ledger, shared on many computers, keeping track of numerous accounts and their current balance.  Your wallet file proves that you are the owner of particular accounts.

While I feel bad for the people with stolen coins, but come-on ...really?

Same password on multiple sites.  *one*
Bells should have been going off as soon as it was rumoured user/pass was leaked. *two*
Confirmed list was leaked and still not changing user/pass for days.  *sorry, that's too much*

If the thief took place this morning there was plenty of time to fix this.

Whoever is stealing these coins is making a big mistake.

They could be doubling their haul if they sent those coins to a Double Trouble game address.

For me, it helps to think of the wallet file as a set of the following:
1. A Bitcoin address
2. A public key
3. A private key

The first two are public, but the third is like a very long password and needs to guarded as such.

Any one wallet can contain many sets of the listed 3 items.  But if all you do is create one offline, send coins to it, and verify the balance with Block Explorer, then you are only using one set.

Completely agree.

Within an hour of the password list being leaked I changed the following

1) password manager password
2) facebook + enabled cell phone verification
3) email
4) NTLM
5) backblaze + encryption
6) paypal/bank without 2-factor

My secure Gox password wasn't even used on any of those sites.

All sites got a new 14+ character w/ all 4 groups.

Seriously don't fuck around with your security/identity.  You can't put the cat back in the bag and you've got an uphill battle if important accounts are compromised.

1. Yes, it was stupid. I have several different passwords, the password I used for mybitcoin and mtgox was my "junk" password, while I was dabbling with mtgox. Anything financial or important has it's own unique password, but as I do not use a password manager I won't create a unique PW for a site that I will rarely, if ever use again. I never thought to change it after bitcoin became valuable to me.

2. My bitcoins left my account less than 24 hours after this notice went out. I went to bed on Sunday without receiving the email that something was wrong with mtgox during that day, I woke up Monday, went to work in a rush without checking my email, came home and saw the email, checked mybitcoin, and my coins were gone.

3. See above.


I don't live on the forums, nor do I regularly look at news sites, nor do I have a smartphone with mobile broadband to check email with. I do not have a TV so I would not have seen it on news. The only hint I had was that email, and by the time I actually got it, the account was already long compromised. Not everyone who is an advocate of bitcoin actually keeps up with the news on it. It really is boring to me because it will take a long time for bitcoin to become anything more than it's current effective status of "encrypted/untraceable USD funds", so I only check up on this stuff once every couple weeks.

Is it my fault? Ofcourse, in multiple ways it is. The password thing is one obvious one. The other is relying on a service to maintain it's security in exchange of my FEE PAYMENTS for them to uphold their service. The fee mtgox charges on exchanges is obviously to pay the person operating the exchange, in a way they are responsible to maintain their service's security. Since they didn't uphold proper service, scammers have made way with several hundred thousand dollars from the common users, regardless of the method achieved. It's like saying Sony isn't to blame for several people's credit cards being compromised and charged through the roof, and instead is the user's problem for not cancelling their credit card the very instant the news broke ice. Sony didn't uphold proper service, and caused the problem to happen regardless. Lots of people simply didn't even get the news of Sony being compromised, or thought it didn't effect them because they haven't used sony's services for many years, or forgot the one time they lent the nephew the credit card to buy some DLC or some crap when he was staying the night.

I can see why people who are new to BTC use the online wallet hosting sites to play around with the system, but why on earth would you leave almost $100k worth of BTC in the hands of some random website? Theese are not safe financial institutions, you have no guarantee that they have any measures in place to keep your money safe. You don't even know who is behind the site. For all we know they might just pack up and disappear with all the deposited BTC once the combined total reaches a certain ammount.

Would you put $100k in a suitcase and give it to a stranger you met on the bus for safekeeping?

 
 
Your statement is only true if they're trying to crack using every possible character.  Otherwise if they're trying to crack leaving out lesser known characters, then no, the smaller password would be the more secure password in this instance.
 
Again I agree you're correct if they're using the exact same set of characters for brute-force... but some crackers may use less character to speed up their brute force attack if they're trying to get simpler/faster results.
 
here's an example.  Let's say I use 16 characters, but with 20 possible characters, it's a better password than someone who used a set of 20 characters with a set of 19 possible characters.
 
1208925819614629174706176   
vs
5242880000000000000000000

Same thing happened to me and I don't even have an mtgox account.

What can be done to this?

Why are you using an eWallet service? That's fucking insanity. I'm so angry at you right now.

First, the general public has to succumb to the fact that you're not an idiot and that mybitcoin's database was actually hacked.

Seems as though people are trying to create these sites as a way to put their foot in the door for when they've actually got some knowledge/funds to code a half decent, secured website. Everyone with some php/html/sql knowledge seems to be attempting this. That funny thing is, regardless of how shitty these sites are, a lot of them are actually profiting. Especially the crayon gambling sites.

I believe mybitcoin's database was hacked.  You may also be an idiot.

I also believe it is possible that MyBitcoin was hacked as well. The exposure of the database at Mt. Gox might be acting as a smokescreen for this possibility. After all, it is easy to assume people are getting hacked because they were on Mt. Gox and failed to change their passwords. Yet, if he tells the truth, here is someone who didn't have a Mt. Gox account and he still got hacked. I was already somewhat suspicious when I saw how quickly people's MyBitcoin accounts were being compromised. I figured LS just had a lot of hashing power, but it's entirely possible they found an exploit on MyBitcoin. :-(

Only MyBitcoin can answer this one for us. They'd have to check for usernames in their database which were not in the leaked database and which had all their bitcoins transferred out of their account today to the attacker's bitcoin address. If these usernames exist, then it's probable that there exists an exploit.

To follow this line of thought: assuming that they've now cleared out a good portion of the accounts on MyBitcoin, it may be safe to say they have *a lot* of bitcoins. If LS is truly malicious, or if they are out to prove a point, then the next stage of their attack could be to dump all their acquired bitcoins on the free market. I'm not too worried about it because last time that happened we managed to snap back to $13 pretty quickly. But this would definitely add fuel to the black-PR fire.

We need to secure our websites and wallets ASAP, people. If they *do* plan on dumping them on an exchange, those exchanges will need countermeasures in place. It seems they're using the same bitcoin address for all their exploits. This could be their downfall IF we can coordinate. If you run an exchange, I would suggest putting in some special rules for bitcoins that can be tracked back to that address.

If we can stop these thieves from wreaking any more havoc on our community than they already have, it will be a victory not just for us, but for decentralization as a whole. If we can prove that a crime of this magnitude can be halted and the perpetrator caught without government intervention, it will set the tone of all Bitcoin-related discussion going forward.

These thieves have unleashed the bogeyman that lurks in the back of the common person's thoughts when they hear the word "cryptocurrency." It is up to us to lay that bogeyman to rest.

I've been lurking this forum since February and the above words are like poetry to me!
They so simply express what I've been thinking all these past months!

I can make a good site, and I sell things for USD AND BTC.

As to the "why":

Because I want to see bitcoins succeed, because I can see that the banks are imposing a type of derivative slavery on us, and this is the best way we have of routing around them.

It's not as simple as "making money for yourself". Nothing born of that philosophy is ever anything other than toxic.


Oh... and as far as I can see, the USD/GPB are crashing (I've lost 1/3 of my income in the last couple of years) whereas recent wobbles aside, bitcoins are still appreciating.

Tell you what, you can give me $100 grand, and I'll read the forums, own a television, and check my email once every few days for you.

Otherwise, seriously, quit crying... If you didn't care enough about your money to keep an eye on 100k$, then you don't need it.  I check my bank account balance every day, like it's suddenly going to have more than a few hundred bucks to rub together :)

Hopefully if you're married, etc. your wife doesn't let you handle anything important, especially issues of money.  You'd have to be on another friggin planet to miss all the different ways you would have been notified.

So they just haven't gotten around to taking my coins??? wth is wrong with you?

And all these coins need to be liquidated....

So a flood of BTC supply hits the markets pushing the price down.  Everyone but the hackers lose out in the end. 

short term glut != long term crash.

So you have a long term solution?  This is not a short term event, it's a precedent.  Security has been and will continue to be compromised because not everyone will be diligent with security measures.  Whether you like it or not, as an owner of BTC's, the value of your "coin" is tethered to the security (or lack thereof) of all other users.

A finite supply of a mostly illiquid instrument means a flood of supply will push down prices.  When you get something for free, you don't really care if you get the best price when selling.  It's a pretty big hole in the BTC model if you ask me.

This is true. Hopefully it will encourage bigger players with more time/energy/skills to invest to do so.

I also agree that alternative generation rules to spur merchants would have been/would be nice, but don't know what that looks like. I still think the proposal of BTC+ with a better client and a new block chain is the best offered so far.

No, the value of the Bitcoin is pegged to the size of the market and the demand for coins. One idiot losing his coins is going to cause a brief dip in the price, not a long term depression.

Someone changed my wallet address for BTCguild just today. Thank god for my 24 hour lock. My password wasn't even the same as the one I used for MTGox. I'm going to convert my wallet into QR code and print it, then format my computer. Shit is starting to get real.

One idiot?  Mt. Gox was compromised.  Everyone who used the same password there and at mybitcoin.com lost their coin.  Dropbox accounts may have been compromised.  Even before this whole Mt. Gox fiasco, some idiot lost $500,000 to a hacker.

This is the tip of the iceberg my friend.  My point is, even if YOU are smart and take all the necessary precautions, there are stupid people out there who will not.  Should you care?  YES.

Why?  Because like you said BTC is dependent upon the size of the market (small and finite) and demand for coins.  If this was a one-time event then no big deal.  The problem is this can be replicated and as you can see, it's happening right now.  So you can hold onto your BTC's for as long as you want, doesn't matter, the hackers will continue to take BTC's and flood the market with them.  This will depress the price of BTC's, not just in the short term, but until you can secure the wallets of all BTC holders.  Goodluck with that.

Hundreds of thousands of bitcoins were lost in the past few weeks. Hoping the market can recover...

What's the point of having something if nobody wants to steal it?

Beauty part is, I don't have to. The hackers will take of that for me. By default, when they're done, all the holders are secure.

This to me is further proof of why people trying to get their grandma/cousins/etc to use bitcoin when it clearly isn't ready (and I'm talking about some of the infrastructure surrounding the currency as well as the client) just because they want to speculate are hurting bitcoin overall.

Everyone expects a new opensource project to have bugs and incompatibilities. In this case, some of the "bugs" aren't with bitcoin itself, but with services growing up around it. Exposing vulnerabilities is great, because then they can get fixed. But it sucks when people are losing lots of money because of it.

That's the trouble - it won't and it hasn't. As an end user, you can't actually tell how secure one website is over another. There's no way of spotting whether there's a daft SQL injection or XSS attack somewhere on the website, or the admin has set his or her password to "iloveyou", or if they've given database access to some auditor with insufficient security, or how effective their detection of suspicious activity is, or how well they're storing passwords. Most people don't even have the knowledge to spot the obvious externally-visible things like a lack of protection against CSRF attacks. (Mt Gox failed at pretty much all of these except for the "iloveyou" one.)

What's more, even when evidence of a security breach does come to light most people don't seem to care. Look at all the people on this forum who still trust Mt Gox more than they trust any of its competitors despite all the evidence about its lack of security.

Wipe your computer with DBAN (boot and nuke) instead of formatting - this way it will be impossible to recover the wallet file in any way.

_{Yes, after formatting a drive you can sometimes still recover data. I saved someones holiday pics that way once.}