Bitcoin Forum

http://50.19.139.134/test.php

I found it by simply doing a google search for my email address. I wonder how many people used a password on there that may be to an actual account somewhere else?

O.o
phew, I'm not on that list.
ok... what the hell!?
Why is somebody storing passwords in plaintext!?

Oh dear.   A lot of the guys on that list might want to change their passwords... quicksmart.

looks like the nofeemining pool worker passwords.

... or some real ones if you ask me

Looks like there's a lot of SA members there. But no one here would dare to...Surely not...No Way!

Remember: Play nice!

Those look like workers...foolish is someone who uses the same password for their workers as their actual login. Good way to get your account emptied.

http://50.19.139.134/  directory index is on too theres a few other files there,,,, none output anything else bad tho

worker passwords are totally pointless. mine are all default. you guys wanna mine for me? feel free.

And don't even think about sending Cosby Coins to any of the SA members on the list.

Whats the point of having passwords for workers? I'd be glad if someone mined on my account :D

My password for all workers on every pool is bitcoin123 feel free to use it.

Yes, well, we're the smart ones apparently.  Not everyone is.   You have a nice list now of email addresses and potential passwords.  You do the maths.

It is kind of terrible...taking a closer look, a LOT of people have complex passwords set for their workers. It makes me want to start trying them on facebook, but I am not enough of a dick.

Got me fooled!

I bet a few of those passwords work on those emails...and that a few more work on their Gox accounts as well...

Ok, I'm a dick. 3rd try of a gmail account worked. I'll try to inform gmail to lock them all but ... hmm ... how to reach all mail hosters?

@OP actually you're the dick for posting the link without any attempt to warn those affected.

Ok, the one gmail account I tried out and worked got this message a minute ago:
Your request (#....) has been received, and will be reviewed by our support staff.

Our help desk is experiencing unusually high traffic currently. We regret to inform you that you will experience some delays (currently 48-72 hrs) in us getting back to you.

We sincerely apologize for the inconvenience and are working on all fronts to improve our response times.

To review the status of the request and add additional comments, follow the link below:
http://support.mtgox.com/tickets/....

This means somebody even more evil than the OP and me is already at it. I could have logged into Gox but didn't as from having his main mail account I know the rest is trivial.


HOW TO RING THE BELLS?????

Write a script to just pull the email addresses from the list end send an email to all of them.

Write a script to change all their passwords faster than somebody does what you suggested ...

No, this should go to the email provider's attention don't you think so?

Fuck you ... how is it my responsibility to do anything about it? What am I gonna do, email everyone on that list a sweet little message? Get real ... I could have just as well done something nefarious with it but I posted it here in hopes of getting it resolved.

can you please let us know exactly what you google
searched? I'm finding this hard to believe

As I said in the first post if you had looked, I simply googled my email address ...

https://encrypted.google.com/#q=redline888%40gmail.com first hit for example ...

Thank you. Sorry to OP for saying I find this hard to believe. I stand corrected.

Just in time, daddy needs a new pair of shoes. 

oh holy hell, I hope people didn't use these logins/passwords for their mtgox account.  I'm glad I'm not on the list ;)   But if I we're, the only thing I have on mtgox right now is .0034 btc

lol! i thought that was my database!

That was part of our old database.

I have no idea why that information was there and I plan on figuring out which idiot from my team did that.

I am in the process of emailing all the affected users to let them know.

We managed to minimize the damage on our end though only about 1 or 2 coins were lost.

Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!

Would advise all users to get their miners away from there ASAP

Glad to hear this will be corrected  :)

A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.

B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.

C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.

Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden

They probably thought worker passwords wasn't "important" enough.

They aren't "important", they are a mere formality.

These are passwords from bitcoinpool.com

nofeemining, brother. read the thread.

I stand corrected, i noticed a lot of usernames that match bitcoinpool users.

I am sure there is plenty of overlap, particularly the hoppers.

I just don't get why anyone sets their miner names/passwords to anything but default...like I said, they are completely arbitrary.

problem is, careless people re-use passwords elsewhere like on their email accounts.

And yet several people already had their email account compromised.

The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.

I'm pretty sure that responsibility lies with the user themselves. After all, if you use the same key for your car, house, boat, storage unit, etc. who's fault is it really? Maybe it's time to start a business doing compromised password insurance...

...only if they are an idiot. If you operate by the 'no child left behind' policy, you end up with a whole classroom full of simpletons.



Side note: the pool I use (ArsBitcoin) states in bolded red text that worker names and passwords are stored as plaintext.

Yes, of course it's the user's responsibility. That's why I called those one-in-a-million users "dumb-asses".

But if the coder is too lazy to spare one line of code to encrypt a useless password then I wouldn't trust that same coder to process my transactions.

By the end of the day, this is yet another security breach and another blow to the credibility of Bitcoins. Whether you used nofeemining or not, whether you chose strong passwords or not doesn't matter, because you were still hurt by this security breach.

Not trivially; I don't think pushpoold supports storing worker passwords as anything other than plaintext.

Wait, why do mining workers even HAVE passwords?

I also never understood this...

To prevent others from abusing your account. Pools will ban misbehaving users.