Bitcoin Forum

Do not mine there, and check your balances and settings, you'll find your btc address changed to another one.

They hacked almost all accounts bypassing PIN and password and stole BTC.

YOU'RE WARNED

If you change back the address it does not change, they website is FULLY COMPROMISED.

can't change btc, can't change doge address either.  it reverts back to the other address.

which is fine, becuase withdrawals are disabled.

oh hashcows.  

yeah it doesnt change back frig!

Oh dear. I did mine there for a few hours once when I was trying out multipools. Thankfully I didn't stay long.

My money was not stolen, but I will change my password anyway even though it is already extremely long.

If this happened to a whole buch of people the hackers probably got a mysql dump and are brute forcing or using wordlist combos to crack as many passwords as they can.

yeah i don't get it; i changed from 'password1' to 'password2' how did they get in?  ::)

well I just tried to put in a 30 character long password and it said max 20 , and my old pass was 20 lol

So well, not so well protected

lol

"error password too long"  

the individual words make up a sentence, but i don't understand what it could mean.  

This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.

I dont store large amounts of coin anywhere online, I already get nervous when my coins are at an exchange just to exchange them ASAP and make a withdrawl, but maybe I am a bit paranoid.

so do they got passwords and logged into accounts, or somehow got access to db and changed addresses directly there ?

Dunno why you guys are complaining about a 20 character limit. A nearby B&M regional financial institution (I don't dare say which) will only allow a password between 4 and 8 characters in length. Wish I were joking.

I don't think they really hold funds (in the traditional sense) outside unpaid funds from mining since the last payout cycle.

that's the point.  there should be no character limit.  

and like oldminer said, 2-factor authentication helps.  

it felt like the hashcows admin were fighting just to keep the site up and running, and left a backdoor open so someone could steal $20,000.  

Hashcows should be making money:  money enough to hire help with securing their money, and user money.  there is already a problem with trust and scams when it comes to sites like this.  it took them so long to build up a brand, trust and goodwill, and all that effort was wasted. 

otoh, mtgox seems to be surviving, although they lost their primacy in the exhange game a long time ago. 

My wallet address was not changed, does this mean I was not affected?

Cross posting from Reddit..

I was in the IRC channel #hashcows on freenode as this played out. Note that I don't speak for Hashcows, just a user/chatter reporting what I know.

Seems like what happened is that someone used an attack (possibly SQL injection) to change a bunch of user payout addresses to https://blockchain.info/address/13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH

As users subsequently hit their pre-set auto withdraw threshold, or logged in and blindly did a manual withdrawal for themselves, the coins were siphoned off to the thief's account.

This leads me to assume that no account details (usernames, passwords, PIN, entire database) were compromised.. it was a smart but simple attack, something of a smash and grab raid. They didn't need to deal with usernames, passwords and PINs (none of which would be stored in plain text anyway), this was much easier for them.

The first thing to do is check your balance. If it's not been affected you are ok now, as the payout system was disabled by admin as soon as this came to light, and will be until investigation is complete.

If you try to manually withdraw the website will report that the withdrawal has been initiated - but it hasn't.

For a period of time you may have been unable to change your payout address, as this was also locked by admin, however it's now been enabled again.

i talked with them on irc and it looks like it was an sql injection attack. its not 100% yet.

For those of you who dont know what that means, it means that no matter how strong your password or pin was they had actual access to the database to retrieve/update the data bypassing the website.

thank you 4chan

you're welcome anon

So they managed to steal 26k so far?

they stole around 40btc.

For those complaining about hashcows.  Nearmiss does a great job for the community by running this website. 

I work for a multibillion dollar payment card processor and I can tell you that no matter what you do a bad guy can always find a way into your system.

Do you think nearmiss has more funds available to provide better security than....
heartland?
Tjmaxx?
Target?

All of these companies are billion dollar companies and couldnt keep the bad guys out.

Here's the deal.  Transfer your coins off whenever you can and don't worry about the 50cent fees.

I lost .244BTC today because I was to lazy to login and move coins, I'm sad, and I'm pissed at the hacker who did it. 

I will continue to use hashcows knowing fully that they could be hacked again, every exchange can be hacked, you keep money there it's your risk.

These aren't FDIC backed exchanges and they aren't all multimillion dollar operations.

Nearmiss could hire 15 security experts and I guarentee someone will still find a way in if they want to.

enjoy your coining folks and lets hope nearmiss and others who lost money/time get to enjoy their Christmas!

I tried to log in to change my password, but it just sits and gives me the login page again, no errors or anything.  I don't see a password reset link either, so how the hell can I reset my password?   I had fortunately removed all funds from there except maybe 0.02 BTC, but I'd still like to grab that out if possible.

yeah I cant seem to login to even change my password or see my account balance or anything?????? just keeps taking me to the statistics screen where all I can see is the pool statistics.....I didn't have maybe 1$ worth of bitcoins on there but still I want my shiiiiit

they take all or just few accounts?

I think all

glad that last time i used it i did a payout. Looks like he made of with 40btc looking at the adres..