Bitcoin Forum

Somebody has hacked my blockchain account and took everything i had all 39.70btc ive been mining for months!

Im even sat here watching transactions being confirmed and can see the 2 accounts its all now held in, via blockchain info!

Anbody got any advice?

There gone.  Sorry but that is the reality.  Bitcoin was created to be irreversible like cash. 

Your computer is probably infected. Format,reinstall OS and change passwords.

Use 2 factor authentication.

Gutted wont be using blockchain again then, was quite a bit of money to me that was!

It's not Blockchain.info fault if your computer is infected or you didn't use 2factor.

All my blockchain info was encrypted on a memory stick that needed 2 passwords, the computer it was used on was soely for BTC it was clean as a whistle!

Every transation made will be to my ip, bar the one that just emptied my account on blockchain....

Only rational cause the comes to my mind would be a keylogger

My blockchain account has been cleared today as well. 19.8 BTC.

I started using their Android app. I tried to log in today, and it failed numerous times. I tried again 10 minutes later, and discovered a recent new transaction had cleared the balance.

https://blockchain.info/tx/b51430e902a51e04f6a44ea5c99310ca1b5ba348056a1b95dc67a3967b7de12e

keylogger does make the most sense. run some type of AV, do a clean install, and try to think of what you've installed or clicked on to trigger a potential keylogger. you wont get the BTC back, but maybe you can start to make sense of it if you can piece if together

one more would be a trend

Would be interesting to know if "Strolen" was also using their android wallet. I'm quite scared of non market apps especially with rooted phones.

Wow really sad to hear. :/ If that were me I would have given up on Bitcoin all together if i lost 30+ btc :(

I'm really quite careful about what Android apps I install. I always check what access rights they want.  The phone is only 1 week old too.

I dont know if it coincidence or not, but I normally connect from the UK.  Today I am in California, and used a Net10 Sim card (AT&T).  

Ive no driod apps apart from Barclays pingit i used to buy bit coins with on Blockchain, i work with computers and encryption on a daily basis, this is defo not a keylogger or from my end!

Sorry to hear :(  I'd still suspect that computer wasn't clean as a whistle.

Well here is mine the transaction i never did  :'(

https://blockchain.info/tx/65969f220edbabf5a21e17961014c5f69ef99f6ae58caf0adb07cb873c1bce65

Making me sick watching the conformations coming in and watching where its gone and is sat.

And this is where my months of mining is right now!

https://blockchain.info/tree/74474459

Just over 8 minutes between the two thefts.
I wonder if others have been effected, but dont know it yet.

I was actually sat on my blockchain acc and watched it happen, one min ive 39.70btc next min i went offline , so refreshed page and it said 0.00BTC.

then ive sat here all night watching where its gone!

I kinda hope others were hit too i might stand a slim chance of getting it back if was a few of us....

Looking at some the hops my btc been on others have been done aswell as clearly was more than my btc being moved by these accounts at the same time!

This is more than have took from me https://blockchain.info/address/1NeiLYQBFawaummF9XHc4hPBkG6W1bUCpb
Here you go whoever now has took https://blockchain.info/address/1NdJyQ5hUgLZMRU63VoWrb3KqGBGrV9yaV  No. Transactions    4    
Total Received    $ 13,918.55    
Final Balance    $ 13,918.55

so is defo others.....

*sigh*

I would always be wary of the apps you are running as well, especially if you are rooted. This coming from an android developer.

Honestly I hear about people getting robbed from Blockchain all the time - Two-factor auth when using google is not real two-factor, it's an illusion because if one password is compromised by an infected computer so is the other.

The solution is to STOP USING ONLINE WALLETS TO STORE VALUE - If you need to use them for transactional stuff, then do it but keeping 5000usd on blockchain is just screaming rob me.

Huh? 

Password is on entered on computer.
google auth code is obtained from smartphone.

2FA - as in two factors. 

How exactly does attacker knowing your password, compromise the independent google auth code? (Hint: it doesn't)

Ask David Perry, happened to him last month

I asked you because you made the ridiculous claim. 

Damn, that sucks, sorry to hear that.

I don't use blockchain wallets two-factor or otherwise, so claim withdrawn.  I've directed David Perry to this thread to share his experience.

I still haven't received a real answer as to how my particular robbery happened but evidence points to one of two scenarios:

1. Most 2FA codes (GAuth and such) are good for a short window after generation. A keylogger which transmits to the attacker in real time would be adequate to allow an attacker to log in with a 2FA code I entered on my PC - this was actually a common method of circumventing 2FA to steal WoW gold back in the day. Anyway, since the passwords I need to send coins are the same as the passwords needed to change settings, view private keys etc the attacker could have compromised my account and exported my private keys without my knowledge, then waited until I had a worthwhile amount in the account before acting.

2. Blockchain.info doesn't require the 2FA code when sending from a phone. Prior to adding the PIN lock to the app there was no auth beyond passwords - a keylogged phone would be a much more sensitive attack vector.

In the end it was my fault for keeping more in a hot wallet than I was willing to lose - about $1,000 worth of coin - but it still stings.

Sorry for your loss. For others out there, I would not store your wallet anywhere but where you know it's most secure! Storing anywhere in the "cloud" or some website is asking for trouble. I don't even trust the apps on my phone. Also....switch to a non-windows OS, preferably something *nix based...

Bitcoin is the single most sellable thing you can steal on the internet today.  Unlike credit cards or identies which bring in very low values when fenced, Bitcoins command full face value no matter what you do with them. 

Online wallets are the banks of the internet - Why rob a bank?  Because that's where the money is.

Dont know if it will be helpful but you can keep your wallet offline so that is not visible.
To transfer BTC, you will then have to provide the private key.

Its bad to see all your BTC being stolen like that.

Sorry to hear this OP. Unfortunately there has been a lot of this going around lately.

- I would not recommend adding an alias to your wallet which is the same username you use on other bitcoin sites or is easily guessable. If you previously had a wallet with a common alias and no 2FA authentication I would recommend to create a new wallet.

- don't re-use the same password on other sites.

- Enable two factor authentication.

- Use the browser extension if you can https://blockchain.info/wallet/browser-extension.

- For any significant amount print a paper wallet https://blockchain.info/wallet/paper-wallet-tutorial-web and keep the majority of funds offline.

These are words of wisdom - that's about all you need to do to be pretty much safe (just follow ALL STEPS).

I would add just one thing: stop using Windoze and you will be safer by an order of magnitude. Linux is ideal, but even OSX is way safer out of the box than Microsoft's crap.

EDIT: and disable that Java shit if you have it enable.

QFT.

Especially because setting up a local wallet and even cold storage isn't that hard to do.

Well, you have to type the auth code given from phone into the potentially infected computer, don't you?

Assuming the malware is evolved enough, it could put itself between you and the site you're authenticating to. It would be like a hidden proxy to your session. Only that it could request withdraws that you did not request.

If another 2F code is required for a withdraw, the malware can still wait for you to do a legitimate transfer and proxy that, replacing the address and the amount that's actually sent to the server (while displaying the good tx data to your browser).

I'm not saying it's easy, but it's possible.

2F would be stronger if the smartphone would actually receive the tx data from the server, display it, and request a confirmation from the user. Sort of like Trezor is supposed to behave. The server would not release the money before receiving a signature from a key it knows is held only in the smartphone. The only vulnerabilities I can think of are (1) infecting both devices at once or (2) end-to-end address replacement. (1) is common to all 2F methods and is considered "unlikely", and (2) would be quite hard to implement (the malware would have to change even the initial source for the address, otherwise the user would see that the address displayed on the smartphone do not match), and, assuming the user checks the amount he confirms, it would not allow the thief to get anything more than what the user is sending (if he never sends large amounts at once, he's partially protected)

Well, obviously 2FA is not "the final solution". An attacker sophisticated enough could very well change the code on the page, so you think you are withdrawing to your address but you are in fact withdrawing the coins to the attacker's address.

It seems to me that was what the Strongcoin.com operator did to "intercept" the coins of one of his users to return them to Ozcoin: https://bitcointalk.org/index.php?topic=184610.0

EDIT: the final solution is a paper wallet. And a very good solution is cold storage with Armory (https://bitcoinarmory.com/)

One of three things happened:

1) You had a weak, guessable or crackable password

2) You re-used your password on some other (dodgy) site

3) Your computer is infected with spyware

What do you think?

This.
You kinda deserve to lose it, as you store too many money without any protection.

Do we know how this happened?

this is why you install good virus protection, spyware protection monitor your processes and clear your cache frequently. for the love of christ download avast internet security and use it in sandbox mode for any type of transaction. credit card, bitcoin, whatever it is. always use the sandbox mode. my buddy owns a faucet and had all his money stolen from his account. Also, please use a a password that is ridiculous and never store it on your computer. memorize it or right it down. my password is 57 charachters long and i know it by heart. as for the scammer he may have one for now but karma will catch up with that little fucker!!

"I kinda deserve it"

I work with computers on a daily basis im fully clued up on encryption, i used a totally diff password to any other so called dodgy site i use.

I presumed with 2 passwords on blockchain i was safe!

Not just been me hit is others that dont know yet ive followed my btc thats now sat in russia in an account holding 99k in 4 mear transactions.

but i "kinda deserve to lose it"

you make me sick.....

So either your password was weak enough to break with a dictionary attack, or your computer is pwned. Which do you think it is?

Who in their right mind leaves that much BTC in an online wallet? you realize when its on the blockchain.info site they can get your public key and spam the form with a password spambot until they get in right? You said you are familiar with encryption, and i do feel bad for you and i hate a fucking scammer, but did you really do all you could to prevent this? 37.3 BTC? thats quite a damn bit to be left in a online wallet service.... in the future if you must use an online wallet service, keep an offline wallet to save most of your funds in. when you need some, just transfer it to your online wallet and spend it immediately... read up on {cold} offline wallets and protecting your self from fraud/ hackrs.

Neither as computer is on a fresh reformat and pass was very long and not used on any other site!

At the start of this thread i was asking for advice not ridicule if you have nothing positive to say then please do not comment.

I don't understand what you're saying. As far as I can see there are only 3 possibilities here:

1) Blockchain.info is dodgy or got hacked or something

2) Your password got cracked or guessed or stolen

3) Your computer is pwned

But you're not willing to say that 2 or 3 are even remotely possible, so are you therefore saying that blockchain is at fault? What am I missing here?

Who in their right mind leaves that much BTC in an online wallet? you realize when its on the blockchain.info site they can get your public key and spam the form with a password spambot until they get in right? You said you are familiar with encryption, and i do feel bad for you and i hate a fucking scammer, but did you really do all you could to prevent this? 37.3 BTC? thats quite a damn bit to be left in a online wallet service.... in the future if you must use an online wallet service, keep an offline wallet to save most of your funds in. when you need some, just transfer it to your online wallet and spend it immediately... read up on {cold} offline wallets and protecting your self from fraud/ hackrs.
[/quote]

It was 39.70 btc and yes yes i should of held it offline but i presumed 2 very long passwords would of ment it was safe, i wont be bothering with BTC anymore myself.

What goes around.............

Karma will deal its hand ;-)

Pm, me and ill show you were to make a police report

If the security of the PC was compromised before he added the google authenticator, the hacker could copy the key OP generated to set up google authenticator himself that would generate codes that would be the same as OP's. Another possibilty is the device used for generating the codes could have been compromised as it was mentioned above.


It shouldn't let you reuse a code more than once. In Mt.Gox if I want to quickly withdraw some BTC to two addresses I have to wait a few seconds to send to the 2nd address until a new code is generated because it won't accept the previous one that I have already used (even if it is still valid for a few seconds).

Thank you Ironcross360 pm on the way!

Stolen. report this to blockchain.info. they may be able to retrieve the ip address used at the time the transaction was made. assuming they log that type of stuff.

I Pmed you their phone # Did you call them to make the report?

2 Things are possible

Either blockchain is vulnerable or some leak happened from your end.


If blockchain is vulnerable you will see lots of accounts getting hacked soon.

I have some questions for you.
 
Do you use windows or other OS?
Did you recently installed something or visited any random site, given access to your pc to someone else?

if your answer to one of above is "yes", you might got infected with some advance FUD malware.

FUD means fully undetectable, antiviruses won't catch it and show your pc clean.




I would also like to tell you about 2factor authentication bypass and android malware.

1. 2factor authentication bypass is possible.
There are many malwares available for bank's 2factor authentication bypass. Probably they made one to steal bitcoins too as bitcoins have less risk than bank transfer.

Some malware examples : Carberp, ATS webinject (automatic transfer system)



2. Android malwares are available too,and they can bind it with any legit android app. Some android trojans are public and some are private.

So make sure to download apps from verified source only.

First public android rat:
https://github.com/RobinDavid/androrat
APK binder getting sold on hackorums
http://www.hackforums.net/showthread.php?tid=3464366

I will suggest you to remove all your important data from your pc and check incoming/outgoing connection or any suspicious /infected file.

Don't format it might be rootkit or you will might loose evidence of malware/hijack.

If you find something suspicious let me know.

Nope i emailed em as did not think this comes under "an imminent threat"

i went for the "To report non-urgent suspicions:Contact Us here" option instead but its now been reported and logged.

Ah , the wonders of bitcoin.

Im just wondering where all mine have gone!

well i can even see where they gone, but can do nothing about it!
Oh the Joys, at least its a lot quieter now without the OC gfx cards on full pelt!

I'm really sorry for you.

1) How did you generate your adress?

Sorry for your loss... keep us posted i would be curious to see if the police report works..

How do you know he had a vanity address?

Is this vanity?

Perhaps if his name is Neil.  But very good point - if the entropy isn't sufficient in any vanity generator, it makes the coins held there unsafe.

I deeply dislike the statement that someone deserves to have their coins stolen if they don't do XYZ things to protect them. Should people do their homework before storing that kind of value? Absolutely. But saying they deserve to have their coins stolen is like saying that a woman deserves to get beaten or that some "heathen" city deserves to be destroyed by a natural disaster.

I can get behind the statement that some people will never learn until they learn the hard way but no one deserves to be stolen from simply because they were a bit of a noob. I lost a fair amount of funds because I got busy and didn't manage my account balances well - did I deserve to be stolen from? If it turns out that whatever system you use has a faulty random number generator do you deserve to be stolen from because you "should've known better" than to use a non-quantum entropy source? There's always some extra step you can take to secure your funds better and to blame the victim because they didn't take as many steps as you is a terrible attitude. This was a theft, blame the thieves.

That said, this is one of the many ways in which Bitcoin has a long way to go still. Properly securing a keypair isn't impossible to do and we already know plenty of ways to do it, but it's not common knowledge and we place far too much of the burden of security on the individual who, frankly, almost certainly has no idea what they're doing. Key management is a pretty specialized skill and we need solutions that don't rely on every single user to have that skill. If you have that skill and want to manage your own keys, good on you, I'm happy to manage my own keys too, but most people are going to be incompetent at this particular skill and that's ok - I'm incompetent at carpentry but if I want something built of wood I hire someone to do it. Not everyone has to be good at everything they want done.

Thats not my address this is/was 14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y

And this is where its gone https://blockchain.info/address/1ETWJY39bJb1jb29R4rew3YVZDSDsaERFy

who then passed it on to 1JkoobQf4MfhpGvgywQPsCQGyxbtjiACr2 $ 2,083.73 &
12BYKgGptsrjMV47CgStCokkSCR3xL86Hx $ 3,030.01 

And if you look at there accounts you will see they done other ppl aswell but they clearly dont know yet!

I completely agree with you - I am not trying to blame the victim, only trying to find out why this might have happened so that we may all better protect ourselves.

That hardware wallet cannot come soon enough...

was your identifier an alias or the long identifier number?

And this is where it all is now https://blockchain.info/address/1HSDGPDdq1BcuFbMCtswLLbGiuSZHEjS68 so defo not just been me had!

Was a long identifier

With Bitcoin there's some downsides.. I guess this is one of them.

Live & learn. Hopefully won't happen again.

Already 2 users on this thread affected by the thief. And that address has plenty of coins, if all of that is from stealing (116BTC) is quite a successful raid.

Hope we end up knowing what kind of exploit was used.

No shit wont happen to me again, ill never mine that much again not with mear GFX set up i have and current difficulty lvls.

Ive been wiped out, bang goes our summer holiday!

I have no idea how they did all these transactions whilst i was actually on Blockchain looking at my account without the first withdraw being registered they must of been allmost instant all these

65969f220edbabf5a21e17961014c5f69ef99f6ae58caf0adb07cb873c1bce65
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 64.56 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 2,190.21 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 31.63 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 23.07 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 3.09 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 51.64 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.80 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 12.91 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 5.68 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 5.32 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 2.58 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 16.57 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 193.67 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.42 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 42.61 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 59.97 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.30 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 30.67 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 25.82 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 52.09 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.55 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 24.53 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 48.21 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 4.14 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.96 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 64.56 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 2.45 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1,462.68 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 12.91 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 38.73 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 23.24 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 25.82 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 20.66 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 25.82 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 14.53 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 13.87 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 7.75 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 2.44 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.30 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.63 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 9.04 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 6.46 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.80 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 30.68 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.29 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 0.62 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 6.46 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 64.56 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 3.50 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.64 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 13.67 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 32.28 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 1.34 - Output)
14epNbGQ1rBFqhWWSx7jN4JPTLW5yZUo7Y ($ 5.16 - Output)
      1ETWJY39bJb1jb29R4rew3YVZDSDsaERFy - (Spent) $ 5,124.83

The first scenario is always a possibility one must start secure to remain secure.  The second possibility is important to bring up because many people may be undermining their "2"FA.  If for example your android phone is your second factor device you SHOULD NOT be using apps or accessing the website from that device.  If the phone is compromised both your factors are now on the same location.  A compromised phone would give the attacker access to both your pasword & gAuth secret key.

One thing people may not be aware of if gAuth doesn't require an active internet connection.  I use an old junked smartphone which I removed all apps, disabled all wireless & cellular that sits on my desks as a 2FA "device" for about 20 or so websites.  When I am not home it goes in the office safe.  Granted that may be a little extreme but eventually everyone is going to have an old smartphone so using a "semi-dedicated" device which is permanently air gapped provides enhanced security on the cheap.


Correct.  By the standard the website should never accept the same code twice (even if still valid).  It is simple to achieve this.  When the site receives the auth code and validates it, it then stores the most recent code in the login/user table.  When receiving a new authentication from the user it first checks that the code wasn't the last one received.  The site should only store last VALID code to avoid an attacker where attacker "flushes" the code by providing an invalid one, and then the valid one.  

Maybe blockchain.info can verify how they ensure no replay attack of 2FA codes.


Note it is possible that a severely compromised computer with custom specific purpose malware could still fail.  The malware could intercept the code, prevent the computer from sending it to the site and then use the code to perform the action the attacker wants.  I would point out if your system is that compromised then just about any wallet (local client, paper wallet input for spending, etc) is at risk. 2FA isn't a magic bullet however it does raise the bar for the attacker.  A generic keylogger, or brute force attack would be insufficient to gain access.  The goal of any security system is to make it more difficult for the attacker.  Can a physical safe be cracked?  Sure but having your gold in a safe is better than in a cardboard box.


PSA about public wifi (or other unknown/untrusted internet connectivity):
MITM attacks can defeat 2FA pretty easily.  The most likely attack scenario will occur when using "public wifi".  An attacker can create a hotspot with the same SSID as your regular hotspot (say starbucks) and using a higher output amp "block" the real starbucks wifi (most routers have pretty weak output so this is pretty easy).  You connect thinking you are connecting to starbucks but you are connecting to the attacker sitting there drinking a coffee with his laptop.  The attacker can MITM any internet browsing.  If the website uses SSL the attacker can't easily impersonate that however the attacker could provide you a fake decrypted (http://blockchain.info vs https://blockchain.info) version of the site or provide you a "secure" spoofed site (https://bl0ckchain.info).  The real solution is that 802.11 needs to be extended to provide strong cryptographic (CA type solution) authentication and per session SSL type keysharing scheme.  Baring the development of a standard I would highly recommend NOT using public wifi for sensitive tasks (or route all communication via VPN when on public wifi) and double check that the website is operating over https and the url is correct.

It is a single transaction, it just has multiple inputs.  Once the attacker had a copy of your unencrypted wallet file he wouldn't need to use blockchain.info website.  Using any client/wallet he could create the transaction and submit it to the network.  Blockchain.info website wouldn't be aware of the transaction until it had already propagated the network.

Agreed.  Blaming the victim is just disgusting.  It is never the victim's fault.  The point about 2FA is to educate others how they can reduce the chance of becoming a victim.  2FA is just a risk reduction tool.  Similar to how strong locks, good neighborhood, outdoor lighting, an alarm system, and a shotgun are tools to reduce the risk of burglary.

Blaming the victim is contrary to the libertarian/voluntarism mindset than many on this site claim to believe in.  

Newbie question here, but am I reading this right and the stolen bitcoins are still in a blockchain account? Can't blockchain "freeze" the account until this is sorted out?

Blockchain.info has no control over user accounts or users' bitcoins.  The Bitcoins are controlled client-side - blockchain.info only facilitates an interface to help control them.

I did the same (without keeping it in the safe part), there are even unnofficial gauths for symbian-based phones (written in java & open sourced ofc)
alternatively one could run it on an old PC/laptop that is never connected to the Internet


With DNS spoofing attacks and SSL hijacking I wouldn't recommend anyone to connect through an untrusted wifi without a trusted VPN (best to set it up yourself) for anything remotely connected with any money.

P.S. you have misquoted in the post I am now replying to

this all sounds somewhat terrifying

Where did you download your miners from?

50BTC about a year ago...

Sorry for your loss.

Many people listed possibilities here but are you clarified what caused that hacking?

OP, Sorry for you loss. We've all had some experience with bitcoin loss and or fraud this and it no fun.   Unfortunately wallet security is a real challenge for bitcoiners.   An until we can get wallet security right this is going to be a very large hurdle to greater adoption.  I'm not sure about anyone else but I  get the following email several times a week.



So blockchain (as are any other high volume bitcoin businesses) is clearly target.

I think Tangible mentioned it first -  does any know that the blockchain.info OTP is really "ONE TIME."  I know when I started using gox OTP it was actually possible to reuse the OTP for up to 5 minutes after the first successful login which would renter the otp inneffectual for any virus resident on your box (GOX has since fixed the issue).

The hacker caused the hacking.
Stronger defenses might prevent future attempts.

Did a test on blockchain.info OTP and they are 1 time use only.

cool

Plus one it is a hosted wallet not your wallet at any point the operators can cut and run...

How do they do that exactly?

Well, they just change their code to steal your password and BAM you're screwed.

Yep I dont know who runs the site but someone has access to the user name and passwords.

ohh noez

That's quite the accusation to a site that claims passwords are managed completely client-side (and have decent proof of that: open-source wallet code (https://github.com/blockchain/My-Wallet/) and in-browser code verifier (https://blockchain.info/wallet/verifier).)  Do you have any sources for this claim, or original research that makes you believe this?

I do have to admit there is something going on -- assuming the reports aren't false, there has been a rash of unexplained blockchain.info thefts lately.  I'm inclined to trust the site operators, but maybe they have a security hole, or someone has managed to stealth-compromise several systems of people who are pretty savvy.

bad for you, good for hacker

What does this mean, exactly? That once you log in, the mechanism (erm, I guess the "confirmation") changes?

That the same code cannot be entered and accepted by the site twice.

An OTP  (one time password) can be generated by Google authentication (http://en.wikipedia.org/wiki/Google_Authenticator) or could be transmitted to your mobile phone by text from the server you are trying to authenticate with.

Once you as the client enter that OTP on the server, the server should immediately invalidate that otp so that it can not be used again by you or an attacker.  With google auth a new pass code, based on time, is generate every minute and should be invalidated every minute or when use by the server.  (some servers allow a slight delay for ease of use).

However if the server you are authenticating with does NOT invalidate the OTP immediately after you enter it correctly,  an attacker with code or a keylogger on your local machine could also log in to your account with the same OTP and gain full access to your secure account.

I tested this on mount gox and an otp replay attack was possible, however they have since patched this.

01BTC10 says he tested this on blockchainwallet.info and this vulnerability does not exist there.

You can try is your self.  If you use otp on any account, long in successfully with one client then open another tab or browser and log in again with the same otp.  Then let time pass.  The longer period of time the server allows you to use the same OTP token the move vulnerable it is.

Only rational cause the comes to my mind would be a keylogger

That's why you shouldn't have used an online wallet

Honestly, I think offline wallets are just as dangerous for most people. If they aren't able to keep their online passwords secure, I don't see how they will be able to go through the offline security.

I am sorry for your loss, and I am terrified that I may have the same vulnerability.
I have read all the posts to try to find anything that makes sense to me.

I am looking in my own account under Account Settings --> Security --> 2 Factor Authentication
There are several choices:

• none
  SMS
  YubiKey
  eMail
  Google Authenticator
  

Will you disclose which of these you had?
I'm glad that you posted this.  I would not have known about the YubiKey choice if I had not looked there today.  I will switch from eMail to YubiKey.
Do I understand correctly that an Android phone was part of your environment?

update:
I cannot seem to activate the YubiKey status.  The YubiKey provides the code into the text box, no other indication of activity happens, and the account is left in the "none" choice, very surprising behavior, I think.


and another thing...
My daughter and I were shot some years ago by her boyfriend.  She died.  A lot of people played "blame the victim" at that time.  The prosecutor had a very clear statement about this:  nothing that she did was bad enough to justify her death.
It is disgusting to blame the victim.  Karma is strong; your own turn will come.

ranlo

I agree

A key logger or local virus has just as much access to your local wallet as to your hosted wallet.

I think the bigger concern for hosted wallets is loss of connectivity and/or unscrupulous/incompetent/or just plain stupid business owners.

(None of which I think applies to blockchain.info who I regard at one of the best if not the best hosted wallet out there.)

But more to your point, secure, complex password, not used on any other site or service is essential.

Hopefully bitcoin will continue to develop more secure (and easy) short and long term storage options.

But you can't get everyone to do that.  Unfortunately (as we've seen here again and again) it take a few hundred or a few thousands or more of loss for user to take bitcoin security seriously.

 
I guarantee you every single person who has suffered a compromise has changed every password, made then unique and enabled 2FA where they can.  Untill then I guess it is just a cost benefit (time/benefit) analysis really.

what have you got to lose (except all your bitcoin).

Don't use Yubikey unless you have a Yubikey (it's a physical USB device). And AFAIK blockchain.info do not have their proprietary yubikeys, you have to use a Gox Yubikey, which is absurd IMO (the whole point of 2FA is to use a UNIQUE mechanism for each account).

I'd suggest using SMS because you do not need a smartphone and you can easily and immediately recover your phone number even if you lose your device. Google authenticator is good too, but you need to have a proper paper backup of the QR code and/or the private key of the security token linked to the account (this is mandatory or you may very well end up having the same problem described in the "I want to sue Google" thread in the legal subforum)

I have a Mt.Gox Yubikey, and also a standard Yubikey.  Both of them will enter characters into the authentication box.  Neither of them seem to enter the "return" character, which is the behavior that the key seems to have in other environments.  I have tested this on Firefox and Chrome, both in a Linux environment.  I also tested it in MSIE in Vista.

It is important to look deeper when hacks & thefts occur to prevent "feel good security".

If (and we don't know for sure) the OP computer was compromised by malware or a 0-day java exploit then a local wallet wouldn't provide any more security.  The malware would gain a copy of the encrypted wallet.dat and when user unlocked his local wallet gained a copy of the passphrase as well. 

Moved most of my coins out of blockchain.info, just because.
There is no perfect security, except locking up the guilty.

Ben from blockchain.info has contacted me and is trying to help, i will let you all know on the outcome!

All i know is i sent 0.1 btc from my 50btc account and allmost at the same time that went into my blockchain.info account i got hacked.

I run every scan going on my PC, im clean it did not happen from my end!

All the best
Stolen....

I would just like to add this was miner i downloaded i had to rewrite the src code myself to remove all this before i used it, how many ppl out there are running these miners, my miner was clean as id rewrote the source code myself!

I suggest you all run this on your miners your using https://www.virustotal.com/en/file/59ed333e51a79e5a7598289f78d161033691c547f56d75329e0b2508f5c46357/analysis/ as this one i downloaded from 50btc about a year ago, first thing i did was scan it and then realise had to rewrite a new safe source code.....

Downloaded a litecoin one today aswell! want to see what in that one?           https://www.virustotal.com/en/file/e8f8ac2648bcb3ac333a8ea7e01d61742537c9af24bb51bbbbb43594bedaf0b4/analysis/

Im going to rewrite this sorce code aswell and if anybody wants clean copies of either your welcome to them....

Just scanned guiminer from the official page.

https://www.virustotal.com/en/file/276568818bb221659c83a7046b60e60e7bc257dfcf7a846fe29df8b85720fe08/analysis/1369556309/

Ironic name.

But you may be the victim of a keystroke logger. Was your password complex? And not 1234abc?

This is pretty scary. I'm new to bitcoin and it looks like the only safe place to store my bitcoins is encrypted on my own computer!

Paper wallets are probably the safest.

where to buy a hardware wallet.

Your computer is probably infected

Like i have told you earlier It might be FUD, Antivirus will not detect it.

My GUI miner
https://www.virustotal.com/en/file/6e96a70f816f9dd25858b5fe9b83ead86bbdef53a58b15e1b6da2ae6ff4611f5/analysis/1369563582/

I don't know why yours showing so many infections.

ouch that sucks man

where did you download this from?

I felt sorry about that,mate :S

hmm thought that's "impossible" to have bitcoins stolen. What I heard was it takes forever.

http://guiminer.org/

Hi,

I share similar experience. Some 4 months ago my blockchain wallet first sent all available BTC to some address (it was around 0.3BTC then). I wasn't upset to much because the sum was not big. After a while I forgot about that and set my wallet address in some mining pool. When I got my first payment it was automatically withdrawn again :(
I had GA enabled all the time and also had a strong password (16 chars, upper, numbers, special - impossible to guess)....
So it couldn't be keylogger (because of GA), and as I'm using Linux don't suspect that it was infection.... Really strange, I moved all my BTC to offline wallet and add the address as watch only in blockchain...

Regards,

Bob, once a wallet is stolen you can NEVER use that address again, any new money you send to it will just be stolen again. A hacker only needs to get the key to the wallet once and it is compromised forever.

Really you should not re-use any addresses, always make a new one for any new bitcoin you want to receive.

I also had problem with blockchain that's why i didn't used it. Once i hve setup my account with 2 factor password authentication, cell phone number, new email id with no text based alias and next day i got mail saying someone logged into my account from Australia. I didn't used it after that incident.

But I thought that it's allright if I input a watch only address (no private key), so I can only see transactions, but cannot send BTC.
Well now I'll probably open a brand new wallet just to be 100% sure...

Thanks,

This is correct. With a watch only wallet no-one can do anything with your Bitcoins because a watch only wallet only contains public keys and lacks the private keys required to make transactions using the addresses in the wallet.

The only thing you lose when someone gains access to your watch only is a lack of privacy: people can determine how many Bitcoins you hold in the wallet and what transactions you made.

Whaaat that sucks man!

Watch out for the security of the e-mail address you use in blockchain.info's wallet.

Regardless of 2FA, if you sent your backup to compromised e-mail and your password is weak enough so the attacker (has months to do it) can crack it, all your private keys are exposed. He does not need to logon to blockchain.info to empty your wallet there! The dark net is full of broken e-mails and someone may be monitoring them automatically.

+1

So because of all of that I'm now using Armory with strong passphrase and only keep a paper backup in my home. Basically there is now only a risk of a fire, but that's about it (at least I hope) :)

BR

If your btc value is high store an encrypted back up of your wallet.dat file or a paper wallet in another location.  (bank - work)

It's virtually impossible (takes longer than a human lifespan) to crack a key if you only know an address.  But stealing bitcoins is as easy as stealing private keys off someone's hard drive and cracking any password they have -- with proper security procedures though, that should be just as hard.

That really sucks, a tough price to pay for the truth that the internet is probably less safe then the streets...

Paying the iron price

You can keep a paper backup in a bank safe or on you at all times (out of plain sight, out of things that frequently get stolen) to prevent that. I'm still thinking of something better, but the paper wallet codes are a little long to reliably memorize :)

You should have been more careful bro...

Is using a watch-only wallet just like using the blockchain to keep up with transactions, only cleaner (and inclusive of all your addresses at once)? Or is there some other benefit as well?

Google authenticator should work just as well as a yubikey. Just remember to keep a backup of your key, or some one time passwords.

Personnaly i lost 5,5 BTC last year.

Now my wallet is on a crypted usb key

You should keep your wallet on your flashdrive ! :-\

MOD EDIT:
See https://bitcointalk.org/index.php?topic=218040.0 as this site is probably a scam

The best method to save your bitcoins is a paper wallet, here can nobody steal you digital, only physicall and i think this happens less. I used the Bitcoin address generator at www.bitcoin-address.org. I think its the best because its the official bitcoin generator. How can I get my bitcoins now back digital, if i have them on paper? How can I import them?

Consider using cold storage. Just write the private key on a piece of paper and remove it from you computer.

No there are no additional benefits :)

(And you meant www.blockchain.info, that is not the same as the BlockChain ;))

My standard Yubikey was accepted.
My Mt. Gox Yubikey was rejected.

edited:
I also restricted the account to my IP address.

sorry to hear the lost. It may be safer to store in local wallet?

I was holing out for a hardware wallet.  Bit of a mistake that was.

Would that not also be hackable ?  If your computer is comprimised so is your bitcoins correct ?