Bitcoin Forum

BitDice noticed a large spike in bruteforce attempts with a large number of valid email addresses. We suspect that the attacker may have been using a list of leaked credentials from another gambling website due to the large number of valid email addresses. We wanted to inform the public and also advise everyone to always use unique passwords across multiple websites to prevent these types of attacks from being successful.

We may publish a starred email list in the future but we are more concerned that this may have orignated from another gambling site in the community.

As always, BitDice protects your account by verifying unknown logins to help secure your account.

thats bad to hear
maybe implement a 2fa system ?

We have 2FA and email confirmation on login. Issue wasn't on our end.

Did you happen to read the post?

i was talking in general (all gambling websites)

They're probably using the various leaks publicly available.

Check to see if you're affected here:
https://haveibeenpwned.com/

This is scary. In this industry, some wicked operators are actively trying to undermine other operators business interests. That's not a healthy way to compete.

Spend that useful time to build your customer base, improve in your customer support, make your payouts more efficient, etc. Rather than focusing on undermining other people's business

All known gambling websites have 2FA option afaik, but A LOT of users are either lazy or simply too stupid to enable extra security on their accounts. And many of them use same passwords for all their online profiles.

ALWAYS enable 2FA on accounts where money is stored/involved.



@OP: Thanks for notifying the community.

But most of the gambling site now are using 2FA, there is no any single site that do not have 2FA protection. If that site exist, I do not think anyone are bothering to play on their site,because 2FA is the best protection for the current time. If it happens your account get be hacked when you already put the 2FA then there must be something wrong with the account because I have this problem before and the result I got hacked some amount on that site

2fa, for example fido network, is really easy to implement
Is ten rows of code

Or can implement another poor method, like time based confirmation

You might as well want to figure out where these email addresses are coming from and inform their respective website owners? Ofcourse it's hard to figure that out but putting it online maybe help service see if majority of them are used in their databases.

As usual, merit beggars being blind as fuck.

He's merit begging, you might as well leave him a negative. Check his merit history.

Still lucky that his still having no -VE yet its obvious on that merit abuse. Checking Dice-bet giving out merits?

Back into topic, this is why I don't really use up my main email when using up any websites neither gambling sites or other ones because leakage can happen and also
using up different and strong passwords is recommended.We wont able to find out on where those leaks came from.

this has been happening for quite some time
my email that is used for registration at some secondary exchanges and casinos
has been receiving dozens of failed authorization attempts reports
seems like one of the sites has leaked its database or I managed to register at a semi-rogue exchange/casino
specifically designed to get cryptousers e-mails and then attempting to bruteforce accounts

It's a bad sign they must be aware of this leak.

A strong password is not enough to protect the account I think 2fa and use a unique password for every gambling site is a good idea and Gmail should have an SMS authentication and a different password to protect their email from brute force.

Shouldnt we put that 2fa thing to be a standard security of our accounts? Its easy as 1,2,3 to set it up but people do still fail and they would only realize when its too late.

Will publishing be a right idea? What about to warn users with leaked emails on your website? Because they may try to spam emails and you may know social engineering still works, especially in older people.
I think leak comes from famous bitcoin gambling websites, if you contact some of them and randomly send 10 email or even list, we may possibly know who has problems because not only your but other users will be in trouble too.

Considering gambling casinos are also sort of work like wallets (people deposit their money there and sometimes they withdraw but there are times when a gambler just keeps his money in the casino instead of withdrawing all the time) this is actually worse than it looks like. Yeah, someone taking control of your casino account doesn't seem THAT bad when you consider whats the worst thing they can do deposit and gamble ?

But, don't forget they will have your wallet and if you have money in it than they can withdraw it plus they will have your email address and the password for that and if you have password same with any other place they could potentially try that email/password combo in any website, they could literally write a code that says try this email/password combo in all of these websites and let me know if any of them gets inside and it would take 10 seconds to check hundreds of websites.

It is really dangerous and has insane potentially horrible stories. Be really careful about this.

This is sad news and what makes it worst the site has not come clean to it's users which puts their users to more risk. I'll agree with the advice one should use distinct passwords, as we have seen in the past they get one password and they can hurt you a lot financially. It's important to note sites using http or not using ssl is a must avoid these days, also using your password on a public or free wifi is a very bad idea.

People should really be using a decent password manager that creates random strong passwords.
Different ones for every site you use. Also, don't just blindly trust 2FA, because there are definitely ways around that (depending on what kind of 2FA the website uses)

I can definitely recommend Keepass, which is an awesome open-source password manager.
https://keepass.info/

2FA with a mobile phone number is insecure and you don't know what they use your phone number for.
Just look at what Facebook did with phone numbers it collected for their 2FA, sold them to advertisers... (source (https://techcrunch.com/2018/09/27/yes-facebook-is-using-your-2fa-phone-number-to-target-you-with-ads/))

This article is pretty interesting, it lists all the pros and cons of different 2FA methods:
https://www.makeuseof.com/tag/pros-cons-2fa-types-methods/

Strong password and 2FA of course needed to make your account secure. But to think that by putting 2FA will make your account insecure, how this thing is possible? Many people already know 2FA and have beend used it for so long and it never has any issue with it and by using keepass it will only give us and extra security towards our account so it is depends on players as well whether they are going to use it or not since not everyone are familiar with coding thing

I never had the experience to use keepass but according to google keepass is "an opensource password manager which can help you to manage all of your passwords" it means that you can use keepass as your database of all of your password so if you haven't memorized the passcode you can use this to keep your password safe but I don't think we still need this because you can make your own password database in your own spreadsheet.
Using any 3rd party software your account can be compromised so I suggest to better memorize the password and use google 2fa is enough to keep your account safe.

literally every piece of equipment can be compromised
keepass is a nice little tool to keep your passwords, also lastpass falls into this category
it is way better than storing your passwords on a piece of paper or, god forbid, in a text file
spreadsheet passwords sounds like a joke, you think that Google documents are safer than keepass?
in any case , 2fa is a must for sites you store money at , gambling sites or exchanges or wallets
otherwise using a password manager is fine in most cases, try it - you will like it :)

Manage all out passwords sounds really good, and it is good for better coding user as well but in the mean time, there are still mant of users that do not understand how to code or familiar with an open source things so I could say, it is better to use 2FA, besides it is not that hard to understand and use either. Scan and done, as simple as that so you do not really need to manage your password that hard