|
Title: Slush Pool (api.bitcoin.cz) hacked again? Post by: deebug on July 18, 2011, 09:24:13 AM Hi, on 2011-07-15 21:33:14 my wallet address was changed to ------------------------------------------ and my limit went from 1 to 0.1 and "Notify on payout" wasn't checked any more.
I did not receive a change wallet notification via e-mail which it normally should do if you want to change your wallet address, so I'm assuming this is an internal change (DB value change). I'm not comfortable with this at all. Are there any other victims? Please speak your mind, I would like to know if I am alone here or not. The next logical question is, what would be the best alternative for api.bitcoin.cz? I know there are a LOT of choices and that's the problem... Any founded suggestions would always be welcome :D Until 2011-07-15 21:33:14 I was pretty happy about the service, they could handle DDoS'es pretty well, almost no connection problems during all my months of mining... Title: Re: Slush Pool (api.bitcoin.cz) hacked again? Post by: MiningBuddy on July 18, 2011, 09:34:50 AM Everything is fine from my end.
Are you sure that password wasn't one used on mtgox? Definitely sounds like you chose a poor password. Title: Re: Slush Pool (api.bitcoin.cz) hacked again? Post by: deebug on July 18, 2011, 09:40:42 AM Hmm, I'm not like that, you see
- My MtGox password is and was completely different from the one on bitcoin.cz - Both passwords are 250+ chars long and are chosen by a password management program I'm not going to specify. Not only that, but suppose someone was able to log in, there is no way they can change the wallet address without me noticing it via my e-mail address. (trying to change the e-mail address would also be noticable, and the e-mail address hasn't changed) - My e-mail address has also a 250+ char password which is different from all the others. - My PC's aren't compromized (that I know of, there's always that creepy feeling I get sometimes and then I do another audit :)), and I'm a very very paranoid IT guy. All logins on any level contain strong passwords. Title: Re: Slush Pool (api.bitcoin.cz) hacked again? Post by: DrHaribo on July 18, 2011, 12:14:28 PM In my pool I use OpenID and let someone else worry about that part of the security. You can log in with a Google account.
Of course I have to store worker passwords. They are salted and heavily hashed in the database. Not sure if worker passwords are really worth protecting, but it just feels safer to be paranoid. Title: Re: Slush Pool (api.bitcoin.cz) hacked again? Post by: MiningBuddy on July 18, 2011, 01:14:30 PM In my pool I use OpenID and let someone else worry about that part of the security. You can log in with a Google account. Kind of pointless when they are sent over the network plain text, but w/e.Of course I have to store worker passwords. They are salted and heavily hashed in the database. Not sure if worker passwords are really worth protecting, but it just feels safer to be paranoid. Title: Re: Slush Pool (api.bitcoin.cz) hacked again? Post by: Graet on July 18, 2011, 01:19:11 PM we use 2 part authentication on the site. so for important changes such as wallet address you need to enter a pin as well.
|