Bitcoin Forum

I added email notifications for some security events:

Whenever your password is changed (except by an administrator), you will get an email about it.

Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.

Let me know if you find any bugs.

You should have implemented this long ago.

Too bad for me, you implement this only after my account got hacked.
My hacked Dorky account underwent both password and email change less than 14 days ago.
And the last time I check my old email inbox, I don't see any notification there.
I suppose it is now 100% gone.

Update:
So I received notification to this "Dorkie"
But I received no notification to "Dorky" when I try to recover password for this username.
The old email address used by "Dorky" is the same as I used it with this account.

Update #2:
Pissed that my Dorky account lost to this.
Nevertheless let's hope this added security notification will help to significantly reduce (if not totally eliminate) all account hacking.
It may not be able to save my "Dorky", but at least it may save many other accounts from now onward.

Verified , no problem, email received if password is changed.

+logout
+login to test changed password
= no problem.

+forgot password link
+email received to reset password
+change password
= no problem.

Verified, no problem.

email with LOCK command work great for my temporary account already banned after the successful recovery.


http://imagizer.imageshack.us/a/img923/532/ucZpW6.jpg

Thanks Theymos this great news since we seem to be under attack a lot.

Great thing to improve security! I hope there won't be so much hacks now. Thanks for your work!

P.S.
I've just tried it. No bugs have been spotted.

i wish this was applied some days ago.. my hero account was stolen, it was "_javi_"

i pm´ed theymos but no response yet.
I cant sign a msg cause i didnt have a linked btc address. But i have a huge list of emails for the PM i got since 2014.. doesnt it prove ownership??

 if you look at _javi_ latest post, its SO obvious that it was stolen.. or i learned to write in a weird language i cant even recognize.. changed my email.. and changed avatar for "eidoo whatsoever" (get ready for the scam)
https://bitcointalk.org/index.php?action=profile;u=144120;sa=showPosts
(my last post was October 13, 2017, 04:52:58 PM)

theymos, Cyrus.. if you still read this thread.. plz take a look at my case.

This is a great addition to the security features of our accounts.

It will also prevent or at least lessen the number of members selling their bitcointalk account.

Many thanks, theymos, for this new security feature. It is also good, that for changing email address no confirmation but locking link will be sent, because for some reasons it could be, that email is lost or a change for other reasons necessary.

thanks theymos

Hooray! This was a MUCH needed feature. Hope I can recover my hacked account in the coming days...

PS Would it be possible to send this notification to accounts which changed password in the last, say 14 days or so? So we can recover them by ourselves?

Thanks again!

That brings me a question in mind and I don't want to try out:
What will happen, if I locked my account? Can I then reset the password via email or must admin unlock?

admin must unlock.
and hacker can not use the account (with the new email).

Ban and Lock is not the same feature.
Ban invalidate the email, you can not use this email.

So, it's good ... Ip & email can be blacklist after.

So its still the same procedure (signed message) to get the account back (unlocked) with old email address?

I tried that on my hacked account. No.

What is the procedure to get your account unlocked? What amount of resources will be put into unlocking accounts?

It's on the same level as other recovery requests. So don't do it lightly. But it's better than actually allowing your account to be/remain compromised.

When you click an account-lock link, there's a paragraph explaining this.

Hello theymos,

I emailed you two days regarding my account being hacked. https://bitcointalk.org/index.php?action=profile;u=397698
It looks that it was hacked on October 15th.  You can see all the activity thats taken place since its been hacked. Random post on ICO threads, airdrops, speaking in Russian, etc.  Also looks as if he has went and deleted alot of my post.  You can see my main thread for TheCryptoChat here https://bitcointalk.org/index.php?topic=1574268.0

You added this feature for the email today but can you make that work for an account that was just compromised a 3 days ago?  I would really like to get my account back if at all possible as its been my account since 2014 and most know me by my username.  If you check your email you should see an email from me on Oct. 16th the day I noticed my account was hacked.

Hope to hear from you soon. Thanks.

Thank theymos,

is this email security features can request new password if we forgot it?

Great work, I hope this feature will continue to exist to prevent and anticipate hacked accounts.
Thanks theymos.

Thank you for improved security

This will surely discourage most account hacking attempts, if most people are able to lock their account after a suspicious password/email change. It will probably lower the workload of Admins regarding this problem as well.

It would also be great if the recovery process would be automated somehow. As an example, being able to trigger a password reset from that same security email. Or enable a form to submit a link to a posted bitcoin address and a signed message with that address, which can be automatically verified so that the Admins don't have to do it manually.

Thanks again.

Post edited. I thought there was a bug, but alas, looks like I never got the email notification when the email was changed. Now some douchebag who can't even speak English is making money spamming the forum using my identity.

About time  ;) ...hope this can reduce amount of hacked accounts.

This is something to be happy about as this increase the amount of security to the account. However, my question is that, if someone for example attempted to hack the account, I get a notification in my email which I took action on, how do I claim my account back? That part is not clear in any of the posts earlier. Also, is there a way for the source of the message to be made public so that I know before hand where the address I should receive a message from in case there is an attack, this is important not to fall for phishing mails and not to willingly give the access thinking one is denying such.

"Sorry abdillahzidan, you are not allowed to post or send private messages in this forum.
You have been banned by forum moderators. You can appeal here: banappeals-w6pquw43@theymos.e4ward.com."There is a notification like that on my old account But up to now there has been no response at all despite sending a mail to that address. There is an odd crosshatch with that address , but hope I just want my account can be commented again and can send personal message as before-before nya.To consideration I will include link profile and activity link
link profile; https://bitcointalk.org/index.php?action=profile;u=1052912
https://bitcointalk.org/index.php?action=profile;u=1052912;sa=showPosts
Thank you for all

Yeah, anybody with more than four brain cells knows that an email address should have something to do with account security. It shouldn't just serve as a label. Seriously

It's clear. If your password is changed, you receive an email notification. Thus, you can reset your password via email. If however the email is changed, then you have a link to lock your account and retrieve the account.

---

What was unclear?

This covers all (2) scenarios when someone's account is hacked.

Thanks for doing this Theymos. Maybe a lot of people will complain on why these security features were applied just now. But monitoring and managing these huge community from different backgrounds to different parts of the world is really hard. So I really appreciate your hardwork here in bitcointalk and for providing us a more secure venue. I know you're doing all your best to make everything here work smoothly.

how to do this at my end?

I noticed this news only now. It's great, I hope it will help to reduce number of hacked accounts. From what I saw, amount of hacked accounts big in recent months. Important thing - don't use same password on Bitcointalk and email
P.S. As I understand, administrator (theymos and Cyrus) have ability to change user email address? Why they may need to it?

For an example. What if some one loses their password but no longer has use of that old inbox to reset the password. But luckily they can prove they can sign a message from an associated BTC address.  "I am Darren at BCT Forum-07860986060869#"

There must be a mechanism for an Admin to achieve such changes. When they deem appropriate, admin is a responsible role.

Please move this thread on top of Meta section.

Yes. Just set forgit password and enter your username or email then email notification sent to your email.

This is good security measure but is it working?

My account https://bitcointalk.org/index.php?action=profile;u=400666 (https://bitcointalk.org/index.php?action=profile;u=400666) got hacked 14'th of Nov. Email changed and then password.

I got in to it quickly in minutes after it was done. Clicked a link and thought thief can't use account any more.
Checking now my account activity I notice someone has been it on it today cus it showing last activity Last Active:
November 22, 2017, 03:12:06 AM???


Btw Cyrus or theymos if you find time I would like to get my account back. I sent PM's to you with proof that I'm a original email holder and then other one with signed message.

theymos

Sorry Guest, you are banned from using this forum!
For security, your account has been locked. Email acctcomp15@theymos.e4ward.com

-----BEGIN BITCOIN SIGNED MESSAGE-----
My account <Afandoras> has been hacked/lost. Please reset the email to <f.akyuzz@hotmail.com>. The current date is <01.11.2017 /23.11.2017>.

Account locked . Nick Afandoras  . Helpp

indeed.
i also lost my account prior to hack.
the email changed and last time i asked to mod, it's banned already.
i think they also should record 'first email registered' to verify account ownership manually

OP, what happens after the account is unlocked by the admin ? What will be the email id in that account - earlier one or the one that hacker used?

Thanks theymos this is a good security features.
this is an effort to improve the security of our work system

OP is admin ::)

Based on this sticky post on this section, you will ask signed message with your new email address.
https://bitcointalk.org/index.php?topic=497545.0

It will be the one the hacker used. This allows it so even if an admin recovers an account the hacker still has access to the account. /s

Here we have yet another admin wannabe. great. ;)

1) I know that. What difference does it make to how should I address him ?

2) I know the process to recover as well. I am asking about specific thing not mentioned in that thread.



So, what stops the hacker to gain access back to the account ? Still waiting for an official reply on this.

Do you hear that sound, whizzing over your head?

It's a bird, it's a plane, no wait...
w H _O O ^O O O _{S H} H ^{H H}

I know it's hard but you should stop trying to be such a cunt. Maybe you heard the phrase wrong: it's not "you eat what you are"

I am not sure if it has been discussed here or not but excuse my rush here...

Looking at all these hacked/locked account issues and the time needed to recover them manually, I feel very insecure for my account too. Although I always use strong password, 2FA where applicable - all sorts of things to ensure the highest security but still anything can happen anytime. It could be my mistake or it could be system leak, which actually does not matter. What matters is once an accident happen then the account holder is facing all sorts of hassles which is frustrating.

Coming to my point...

I actually do not understand why the email to lock? Instead of the link to lock the account why can not the system send an email asking to revoke the request if the change has not made by this email account holder?

I think this could be a decent procedure....
If an account (bitcoinTalk) requests for password and/or email change then send an email to the last registered email address asking for approval. Send a link which will confirm manual approval for the change requested. If the original user requested the change then they are liable for their action. Now, if the user do not have access of the email address only then ask the mods/admins to help them out. I believe this small tweak in sending email, will be saving a lot of time for both the users who are victim and mods/admins.

---

Update:
A little correction...
For password change send approval email to the current registered email account and for email change send approval email to the last registered email.

my account was hacked but I was able to click on the link to lock my account,
which is a problem for me how to get back my account ???,
and how my status account now ???
will admin restore that account to the final data before the mail and password change and send me a new password ????

If you've not locked your account, yopmail allows you to open any email registered with that domain, just use the forget password option and open the email on yopmail and then reset the email.

On another note, the same IP Address hacked me and a few other people.

What if I lose acces to my old email address, which I used to register my account at the start?
I guess this situation might lead to lose all control to my account, am I right?
Are there any chance to get my account back if I unfortunately fall into such very bad situation?

---

Just a bit curious because I have never experienced such terrible cases.

It nice to receive a link from the forum to the link email to your bitcointalk.org account before you can change your password.
Second, if you will receive email also saying that your account has been opened for the first time in a diiference device--- it will also give account owner to block this transaction if ever your account was opened in unknown location---

I think this a good development and it will help a long way to reduce hacking of accounts and secure the account as long as possible but, I as a person don't have the idea to carry out this operation and makes my account to be firmly secured please can you help me with some details explanations? I will really appreciate that Thanks .

I'll never forget how I lost my account because the admins were not intelligent enough to actually add email security notifications at the time.

RIP awesome31312

From Politics shitposting to shitposting in a language we don't know

This looks like a great improvement to the security here.

Now, please could we have email confirmation of new registration applications, and a restriction that only one account can be associated with an email address. I am aware that it is easy to circumvent these restrictions, but it adds some more difficulties to the bot signups.

Presumably, the bots are advanced enough so that they can create their own email server and acknowledge these sign up confirmations.

Requiring email verification would likely result in normal users to have decreased privacy.