Bitcoin Forum

mcxNOW on September 16 had over 500 unique ips scan a 3rd party (currently unknown origin) leaked USER/PASSWORD database on the mcxNOW accounts looking for accounts which matched the leaked database. The hacker then logged into about 50 different accounts and withdrew up to 4 Bitcoins after cashing out other coins in those accounts.

Firstly
1) If you use a unique username or password at mcxNOW you have nothing to worry about.
2) If you used 2FA at mcxNOW you have nothing to worry about

Any member of mcxNOW I advise you to log in and check your security center. Look for failed logins to help identify which exchange/pool/forum database has been leaked and is being tested on sites like mcxNOW! We can then warn users of that service before the hackers take any more of these users money. Thanks.

@RS,

How many threads on this topic do we need? ::)

Edit: Wasn't this the "most secure" online exchange ever? ;D

Holy shit you're retarded.

^^

That may be...but I'm still right  ;D ;D ;D


~BCX~

mcxNOW wasn't hacked.

BCX, the attacker wasnt you by any chance? i'd like to congratulate the hacker by sending him my now stolen btc :P

Unfortunately there isn't much one can do to force users to use a unique username and password at mcxNOW. It is security 101 but some users fail to do it.

And we come back to the point that your exchange isn't the most secure given that simple fact.

That problem relates to every exchange and service. What site doesn't suffer from it? If they have a login system it applies to them.

I merely think you've overstated the security of your site as "the most secure". Hard to make that statement without actual proof of 3rd party testing against/compared to other exchanges right?

All fud aside I think the other exchange owners should keep up with this shit!!!  This is the third event I have seen in two weeks now!  


Btx  as much of an asshole as you are sir I wouldn't doubt if it was somebody like you doing this bullshit!  


It's fucking bad enough our world leaders can barely get along..


Why can't people in crypto get along either?  Why so much hate?  

Without offering any kind of position on how scam/trustworthy TheRealSolid is, I fail to see how, if my password is "password" across all of my services, and for that matter my username is "gramma", how that is MCX's failing when someone figures it out and uses it to get into it, and B of A, and Mt Gox, and and and...

I'm not condoning the "attacker" if indeed that is what happened. You need to do some reading of Coinhunter/Realsolid going back to August 2011. Come back and let's discuss.

I coded the whole thing from scratch, including the exchange http server and had 3rd parties test it already, combined with numerous hackers testing it for the 5 months operational. It's never going to be "enough testing" in some people's minds, and it comes back to you simply not liking me boasting about something I personally think is impressive. You are free to have any opinion you want about my security and my claims, I don't judge you on it. And if you don't want to use the exchange due to it then that is your right.

it's not. I was merely pointing out how RS and his sockpuppets claiming mcxNOW is the "most secure" exchange ever is an OVERSTATEMENT.

Indeed and thanks to my security system at mcxNOW the people who have the same username but a different password at mcxNOW can help identify the origin of the 3rd party service which has been leaked. Hopefully we can find out soon and warn users of that site(s).

It is called envy

You didn't even address the part about actually comparing security tests between yours and other exchanges. Now if you had done that and a 3rd party (neutral) claimed your site as "the most secure" then fine. But until then, it is just YOUR opinion as opposed to facts that you are advertising to users.

Typical salesman tactics...

Many companies/sites make claims about themselves which are very hard to verify. It is called marketing.

In this case many people who read about the security at mcxNOW and know the system do believe it is the most secure out of the systems *they know*. I am not the only one, and you can consider it an untested marketing claim / salesman tactic if you want, no one will fault you for that.

Can't you just make up nice long totally random passwords to people and tell them their password instead of asking them to make one up?

I guess then though they'll just go use that same one on phishingsite.com ?

-MarkM-

Some of you are stupid as fuck. mcxNOW wasn't hacked. Someone got a username/password list from somewhere else and tried to log in with the list they had

Blaming RS for people being stupid and using the same name/pass for everything is even more retarded than those people are

RS shut down trading and looked into it, even though it wasn't his site that was compromised.  Holy shit people stop being so stupid

One simple thing could have prevented it that many other exchanges have already implemented.

Withdrawals only through email verification

All Fear, Uncertainty, and Doubt aside.  I still feel safer with my coins on mcxNOW than a couple of other exchanges.  

Or 2FA. The problem is these people who use the same user/pass at every site typically don't care about enabling extra security features either.

2FA has been there since the update too. mcxNOW doesn't store or use emails for verification but does give users the choice of Google Authenticator as a second auth device.

LOL - Yea, I know. Just responding to the people saying mcx sucks. I've been buying shares like a madman

But why do you unlike other exchanges not require email verification?

Its a major security step the "most secure" exchange should probably have

I believe emails are an invasion of privacy of my users. I've removed them from the site and now will only support offline second authentication methods such as google auth.

well my account is safe, but i'm adding google 2FA this evening just i case, meant to do it over the weekend but got caught up in things :)

Would you believe that in New York City there are actual jobs (job title "Media Relations") some of which specialize on "character assassination". Here, a character can be a person, an event, a website, or a more abstract term.

The job of these people is to twist words, and spew party line propaganda. Their job is done when sufficient number of media outlets republish their twisted words, making it "the truth".

I used to see a lot of that on Twitter, and now this thread and others are full of similar attempts.

I was thinking the same thing. But of course RS knows everything so I failed to mention it for that reason.

Let me ask you this: Do you know the true identity of RS?  In case he decides to close up shop and run with your coins?

BTC-e operates the same way....with anonymity.

Perhaps RS can prove me wrong and reveal his personal identity to instill trust that he could be held responsible if he ever decided to close his exchange and run with user deposits?

What I find odd is how he was such a huge hater of LTC and Coblee and now his exchange supports LTC trading. Volume on LTC as opposed to SC is huge disparity.

Every mcxnow user has a plenty of public/private key pairs ;)

Require all users to use a system generated random password of X length etc.

Done.

I'm sorry, but I have read through the old coinhunter drama..  doesn't phase me a bit.    I'm new to the community and have watched rs talk in chat for months now.  I don't believe that's going to happen, nor is it the reason for this thread.  You guys should quit trolling so damn hard.  The guy doesn't wanna tell you who he is.  Get over it.

Except if Joe-one-password is also using the same password for their email, which is not so unlikely since we already know they don't use a different password for every service.

+1

I second this. Any company that offers shares (including BTCTC) most always shows who they really are, in case of this exact reason. He could close up the site and walk away with a fortune and there would be nothing you could do about it.

I'm sorry but you could not have possibly gotten "caught up" on reading that fast. You can't just read his posts you have to read them in context to the rest of the community at that time.

Nice try to make it seem like you're all caught up.

Your account was created on April 27, 2013. Hardly enough time to know what went on over 2 years.

Maybe he should look at the time stamp of the genesis block of Solidcoin 2 to see the maturity level of the guy. Remember, this was a coin that was ready for the collapse of bitcoin.


~BCX~

that RS dude is a giant twat and bi polar.
excellent material for the world nowadays...

And you have to wonder why guys like smoothie and bitcoinexpress are so determined.
I tend to believe them, because i have seen how 2 faced that Realfullofit can be.

powertripping geek.

N00b here.  Executive summary, or links to exemplary posts?

https://bitcointalk.org/index.php?action=profile;u=34967;sa=showPosts

Why don't you add the Re-captcha to login.

Yeah that's a great way to scare everyone away.

No one is going to go on a site where they can't set their own passwords.

Don't these sites salt and hash passwords before being stored in their database?

do you have a script that tells you when RS posts? I'm thoroughly impressed with your response time to his postings and wish you all the best in your endeavors. Keep it up!

I'm unable to setup my 2FA using Google Authenticator. I asked other users on mcxNOW chat and they told me they experience the same issue. Some recommended I try to enter the key manually instead of scanning the QR code but it still won't accept it.

Please advice what I should do.

Had the same problem and they told me to adjust the time a little on my device (PC for me using GAuth app), because the logs said my numbers were slightly off, so it kept rejecting me. When I finally got in after about 30-40 login attempts, I just ended up withdrawing. The most disturbing part was the 30 days' wait to reset the 2FA. Now I'm sticking with Cryptsy, the SMS code to your phone works every time, so far.

Here's the email:
If you can sync the clock on your 2FA device, or as soon as the number switches you will be able to get in. There's currently no way to undo 2FA devices, the aim of them is to prevent 3rd parties entering. Other sites have a one month waiting period before resetting 2FA devices on an account. So like I said, you can mess with your time a bit and get a correct code because you're not far off it, much easier than waiting 30 days.

Switch to white theme and scan the qr code there. If this doesn't work, then insert it manually.

Your 2fa device has to be synchronized. You do that in the settings->time correction for codes->sync now in the Google Authenticator.

Thank you for the help guys.

I tried it manually and I still got the same error... but it's finally resolved!

For those of you that might find this in future, do what usahero suggested:


Thanks, you're my USA Hero ;)

The recent update to mcxNOW actually improved the handling of google auth 2FA. I'm a bit more lenient with 2FA devices that have wrong time. Seems many are 30 seconds behind or in front of "reality", so it should be a lot smoother with current update.