Bitcoin Forum

OP note: no conspiracy theories about default trust nor any 'I hate Vod' posts


EDIT: Per theymos the rightful owner of akka is now in control of his account.

User Akka (https://bitcointalk.org/index.php?action=profile;u=60141) recently reset his password (yesterday) and is now selling a "exploit" to hack gmx accounts. I searched his username in the digital goods section and found that only two posts (in one thread) were made in that section prior to today.

The account has made exactly 25 posts since July 6th, 2014.

I know there is a (likely hacked) account that is for sale and on default trust list and I am thinking it might be it.

here (http://gyazo.com/6b7c0385c6320819ae68691424bf20d9) is where the account is being sold.

I had been messaging him regarding his exploit via an alt of mine and had been replying to me once ever ~2 mins and has not responded since I asked him for a signed message from an old address. After sending two PM's he replied several minutes later suggesting a particular escrow. I asked him again for a signed message and have not gotten a response. I messaged him from a 2nd alt and have gotten several responses after requesting a signed message from the first one.  He essentially admitted to his account being hacked

The exploit he is claiming to have can reset any gmx account.

Both BadBear and Theymos appear to be offline, so I would say the most effective course of action would be to post here.

Update:
He 100% confirmed his account is hacked

nice job quickseller  ;)

nice job man

Thank you. I appreciate it.

NP bro

Sucks that this scammer was able to leave you negative feedback that modified your trust rating.

Hopefully when the Admins get online they will remove the hacked account from default trust.

I am sending Theymos a pm right now.

Don't worry about my trust rating. The last time someone on default trust left me retaliatory feedback I was able to get them removed from default trust (https://bitcointalk.org/index.php?topic=811345.0) quickly

EDIT: it looks like he got you too

I banned him and removed him from my trust list.

The real Akka should email me.

It email was probably hacked.

You can't possibly remove the trust he left several people, can you? It is clearly invalid and was sent by a hacker.

Yeah, I'll require a lot of extra proof.


Removed.

Thanks Theymos!   :)

You were saying? (http://gyazo.com/6b7c0385c6320819ae68691424bf20d9)

I am not going to say how I know however there is evidence that linked you to every account being advertised in that screen shot except the default trust list account.

You sent me a pm with a specific account asking for an offer and when I asked if you could prove ownership (not for proof, but if you would be able to produce it) and your response was that you would allow me access to the account first and then you would have me pay you

Can you keep your script kiddie drama away from this forum please? I don't know where all for you are coming from, but it seems almost every member of Hack Forums that comes here has nothing to contribute, and only peddles scams, ebooks, and hacked accounts in the marketplace.

i can vouch that spod was reselling the account, i'm also on hf and when i queried about the account to also see if it was stolen he said he was re-selling, and didn;t have ownership

PM's with spoderman:

---

If you really bought that account then why don't you post from it, or at the very least PM me from it, or even tell me what you told me you were going to do with it

---

How do you explain the hero member, 7,000 post, 500 activity account that you are selling for .3 btc? That is significantly less then what I am selling any hero account for and significantly less then what I have ever seen a hero account sell for?

How do you explain offering to sell Spekulatius (https://bitcointalk.org/index.php?action=profile;u=37537) while implying that it was hacked? (it was really more of an admission)

---

You essentially admitted the account was hacked.

Then it just so happens that a hacked account pop's up that was on default trust list? I find your explanation regarding the default trust account hard to believe. Either way that isn't why I gave you the negative trust, I gave it to you because you were offering to sell a hacked account.

---

Like I said the fact that the hacked account popped up today does not have any impact on me giving you negative trust, it only has an impact on my timing. I was hoping to get more confirmation about the legendary account you said was for sale and the hero account you were claiming to be selling (that you now claim to not be actually selling).

Of course you are going to retract your story once you are called out.

---

I did not ask for actual verification, I asked if you were able to provide such verification. There is a big difference.

Don't worry about your -6, it will eventually turn into a -4

---

You are kidding right? You want to prove the account that you tried to sell me is hacked?

---

Okay prove it is hacked.

I can confirm account Akka was hacked (I informed theymos right away, thanks for acting, theymos), I bet he had a gmx-address registered with the forum.

My gmx account has been repeatedly taken over (about 6-8 times) since around Dec 16th.

Those incompetents at gmx said I should check my PC for malware.

It became clear there is an exploit that allows password reset by an attacker.

The attacker tried to gain access to various of my bitcoin-related (and other) accounts. I know some of them because I saw password reset mails: bitcointalk (failed), bitstamp (failed), anonibet (successful, he got 0.007 BTC), dropbox (don't know, don't use it), paypal (failed), blockchain.info (failed), bitcoin.de (failed), twitter (failed)

I'm not sure why he failed on so many accounts. PW reset should've worked just fine for many of them, maybe I interrupted him. I also don't understand why he didn't try to lock me out of my gmx account by changing secondary security features (phone number, security question, alternative email address). I was always able to re-gain control of the account by using the registered phone-number.

I migrated all relevant sites from that gmx account.

I'm really pissed at gmx, why don't they close that hole already?

Quickseller, thanks for looking out for us and thanks Theymos and molecular for acting so quickly!

How did the hacker know your email address associated with your account? Was it publicly known prior?

I'm assuming he got it from the mtgox leak back in 2011 (or was it 2012?). It's very likely someone using gox in 2011 also has a btctalk account... and a valuable one at that ;)

That's what I'd do if I had that exploit and was a black hat: take all gmx addresses from that leak and attack those dudes... there might be some bitcoins to be had.

Wasn't that guessing the dob exploit allegedly used to gain access to satoshis gmx account? It is interesting how many people are losing their accounts here via their email, especially when most don't have their address publicly displayed.

Probably because the majority of members here use either gmx or gmail. And it's probably username@one-of-those.com
So it's not that hard to guess.

Note to self: Start an email server.

Molecular, aren't you from Germany? So is Akka IIRC... Maybe some German Bitcoin website was hacked.

Akka revealed his email in this (https://bitcointalk.org/index.php?topic=128796.msg1373309#msg1373309) post, they probably got it from there.

I just checked out the password reset procedure on gmx.de. It's possible to use the phone-number or alternate email address to reset pw. Nothing about date of birth.

When I tried to regain control of my gmx account in December, I called. They asked date of birth, but it wasn't enough. I had to email scans of my ID, which they only checked casually (I know because I called right afterwards and the guy said (paraphrasing): "ah, I see it's still valid, so that's ok, I'll send you reset-link"). So that's a possibility, although I doubt the exploit involveds a phone call.

Also noteworthy: after my account has been taken over (as said this happened 6-8 times in the last 3 weeks) and I regained access, website displayed many (100s, sometimes 1000s of failed login attempts). I'm not sure if imap/pop login failures count here (I have multiple imap clients polling frequently, so if pw is changed, they will fail login).

+1

I ran one in the 90s. Gave up at some point when it got harder to send emails via smtp around 2005 or so.

I'm reconsidering this now.

Also ThomasV who also lost his gmx address is from germany.

gmx is a german email provider, so this is probably the cause for the amount of germans affected.

I know akka personaly and will give him a call that he can clearify the situation

Nice catch quickSeller ;) , now is all resolved or not ?

except that the gaping pw reset vulnerability at gmx obviously still exists

sehr gut, danke!

Oh that's bad , now I think no one will use gmx anymore. They are very incompetent.

Thanks for the heads-up quickSeller.

My gmx account has indeed been hacked, or rather exploited, the password had been changed. With this the password of my BTCtalk account had been changed.

So gmx mail seems not to be save (i will formate my PC and change all my PWs anyway, just to be sure).

I apologize to all people that have been troubled by the hack and hope that no damage has been caused to anyone due to this.

Just good to hear that your account is getting recovered before any real damage could be done
Nice to see this getting neatly resolved.

Good to see you have been reached. Hope you can sort things out and get your original account back.

No need to apologize, it's not your fault. GMX is to blame.

and: No damage is not correct, at least not if we talk about the gmx exploit, not just the Akka takeover.

I for one spent countless hours migrating away from gmx and worrying about the next takeover. It's quite possible the attacker got some of my accounts where I used the gmx mail. He surely tried many and tried to steal coins from me. I have no doubt the 'hackers' made money off of this gmx exploit (WHICH STILL WORKS, I'm getting my pw changed every 2 days), even if it's just steam accounts. (See comments by binary32 here (http://bitbiz.io/threads/well-we-were-hacked.636/)). Attacker tried to get my paypal, blockchain.info, bitcoin.de, bitstamp and numerous other accounts (I saw some pw reset emails, seems I interrupted his 'work'). Wouldn't be surprised if he had been successful with some of the other targets.

Also, ThomasV has lost his twitter account to this gmx exploit (https://bitcointalk.org/index.php?topic=888343.0). He also lost other accounts but luckily was able to get them back.

Satoshi email hack was also likely due to the gmx exploit.

here...

https://i.imgur.com/jY5T8PC.png (https://i.imgur.com/jY5T8PC.png)

someone selling a legendary bitcointalk account

it is probably the spekulatius account https://bitcointalk.org/index.php?action=profile;u=37537

data matches. is spekulatius confirmed to have been taken?

spoderman offered to sell it to me very shortly after its password was reset via email (see PM dump on page two of this thread) even though it hadn't posted in months. Someone also logged in to it yesterday but made no posts.

He refused to confirm that he was able to confirm ownership which leads me to believe that he cannot do so.

His last post  was done the 07th of october , what do you think ? Is it an hacked  account (after sold it to another person)? Or just coincidences ?

You can make your own conclusions however I think it is hacked and for sale. I haven't received confirmation though.

Unfortunately, those PMs, even if they are really in your inbox, prove nothing.
I'm not implying that you are lying, or that Spekulatius is not compromised, but there's simply no proof.
All it shows is that Spoderman asked you how much you would pay for the Spekulatius account.
I could ask you how much you would pay for the theymos account, what would that prove?

I told him that I would not make an offer without him confirming that he owns the account. His response was that he doesn't need to provide any kind of verification and that he would send the information (password) to me first prior to me paying.

I specifically asked if he can prove ownership and he specifically made an offer that lacks proving ownership

It does not prove the account was hacked but it is essentially spoderman saying the account is hacked. The message was previously reported to badbear and he can confirm the authenticity of the PM.

Hello,

this is blizzen! I created a new accout "blizzen1", because my real account "blizzen" is hacked. I´m in contact with theymos to clear the situation.

greets
blizzen(1)

do you know how it was taken? Was a gmx email address registered with it?

Last online-time  was  in december, an than was an activity on january 5th. Yes, there was a gmx-email-address, but i got no answers by request.

Can still access the mail address or was that password changed as well?

I've left to your account a negative feedback ( only for security) When you will come back in possession the account,  contact me and I will remove it . However gmx is very incompetent.

Akka's account has been restored to the rightful owner.

wonderful, thank you!

I can confirm that I'm back in control of my account.

Thanks again to Quickseller for the heads-up. Theymos for the quick acting. doingdoing3000, fronti and qwk for calling/messaging me and all others. I'm really impressed on how fast and well this was resolved.

It's late here so I will "fix" stuff (Post that were not by me, trust ratings, etc) tomorrow.

I am glad you were able to regain access to your account so quickly.

That's what the hacker would say ;-)

welcome back!

Good to here! I have removed my negative feedback from your account. I hope the hacker didn't do too much damage.

No, it seems he hasn't done much other than to PM some people, trying to to sell them their own Mail addresses  :-\

Damn, that is some fucked up shit. Well, I'm glad that you could recover your account and I hope you stop using GMX :P

I hope they were not successful.... were they?

No, I think not. The inbox was deleted, though, but I still have some outgoing PM's.

He was selling his "exploit" for 1.7 BTC and after I created this thread he gave me negative trust that said I scammed him 2 BTC, so hopefully I stopped someone from buying from him by creating this thread and tagging him

Welcome back.  :)  Negative feedback removed.

wieviele etwa? how many, roughly?

Oh , perfect !  I've removed my negative feedback.

Nice Job ;)
I know which site it is.

Best regards

My Account was also hacked. My Emailadress was also on GMX. But how i can received my Account "Acura360" back?

Passwordreset don´t work for me, i didn´t received the passwordreset email.

Follow this procedure : Recovering hacked accounts or accounts with lost passwords (https://bitcointalk.org/index.php?topic=497545.0).

Scheint viele Deutsche zu betreffen gerade.

translation: Seems to happen to plenty germans lately.

Not very many. Most of the PMs are between People trying to confirm the Hacked account. I just looked through the the first couple yesterday and thought it was more.


True.

gmx is a german website so it's only logical to assume that the gmx exploit affects mostly germans.

Yes, I changed my mailaddress/password for the board after reading this thread. Just to be safe.

Edit: I also posted a warning in the german section, link: https://bitcointalk.org/index.php?topic=918752.0

What do you mean "which site"?

I was indeed hacked!
One day I read that my password was reset but didnt think it was anything to worry about, because an attacker would still have to get to me 2nd email account which my bitcointalk account is linked to, then I go check the next day anyway and BAM! Im locked out both of bitcointalk and of my email account. Turns out my email was hacked and used to send spam some days before my password here was reset. Fortunately I posted an address that I still control some time ago and could by signing it prove to theymos that I am the rightful owner, so he reset my email and password (thank god). It took about 2 days. So just to make it clear: I WOULD NEVER SELL THIS ACCOUNT! SPODERMEN IS EITHER HACKED OR AN ORIGINAL SCAMMER!

--> The only problem I have now is that my trust score was ruined during those few days and I have no idea who Spodermen scammed in my name to earn this reputation! What can I do to find out? Thx

My account is with web.de, which belongs, i think, to gmx. Is it safe if I have changed my password or should I move to another provider?

Spekulatius, could you get theymos to confirm this? That would help your case a lot.

If it's the same exploit used in gmx, changing you password will not be enough.

It's a pain, I know (have been using my gmx for a lot of stuff) but you should consider this account unsafe.

Confirmed.

Thank you very much for confirming this. Glad to see that this was resolved.

Thanks for this info. Another indication (apart from the exploit offer on hackforums) that indeed not only gmx.de, but also web.de and potentially other 1+1 (germany company that owns these brands) suffer from the exploit.

Yes, definitely you should switch provider. My gmx password is repeatedly being changed by the attacker since mid-December. In recent times there had been periods where he took over my account every second day.

I am glad that you got your account back. Theymos really should give a warning to people not to use GMX and et el email addresses for their forum accounts.

---

I figured I should post there here. Per the message I received from Spekulatius the hacker used the below email and IP address

I received the same PM , however welcome back @Spekulatius.  ( I hope you're not coming to use again  GMX or web.de). I simple gmail address with the 2FA it's the better solution and obviously secure .

It is better when you have your own Mailserver ;) For example with autoban (Try it out on my Server if you want, try 2 times to login - then you get banned for 1 Year: Admin@Dice-Win.com)
Best regards

It locks you out for a year after only 2 failed attempts?! How are you able to login when you are drunk?  ;D

Yes it does.
I can remove the ban manually ;)
Because i dont need to login with my password ;)
You can test it if you want - its my server, i allow it to test it.
Best regards
Christian

Ok, changed it to a yahoo.de account. Hope thats secure enough ::)

Feels good to be back

That may work, however the most secure email would be one that cannot possibly exist (IDK why the forum does not allow the option of simply not having an email at all). What I recommend using is [username]@bitcointalk.org, since the forum does not offer email services it would not be possible to hack/create that email address (although you would be somewhat out of luck if you forgot your password)

Depends how secure you made it. Hope you didn't use some of the basic security questions that are easily guessable.


Couldn't theymos or possibly BadBear create those emails and steal the accounts? ;D

If they wanted to do this they would simply reset the password to an email they control themselves. Or they could just change the password by editing the DB.

Shouldn't Akka be re-added to your trust list now that he has regained access to his account? I would've assumed he has PMed you by now, but perhaps he hasn't noticed he was removed since his trust ratings still look the same on his end.

It's honestly not so important for me to be readded, beeing a trusted User it's kinda nice, but that's already it for me. But I still appear as Akka in his list. I that means I'm somehow untrusted in his list, Yes it would be nice if that could be fixed.

You should PM him, he only removed you because your account was hacked. Since you have regained access to your account and properly secured it, he should have no problems re-adding you, or at least removing you from his distrust list if that is all you care about.

In the (unlikely) event of successful DNS poisoning, an attacker might be able to forge an MX record for bitcointalk.org and point it at his own mail server.
It's difficult to estimate the likelihood of such an attack, but I personally would consider that more likely than an attack against a professional mail provider.

i thought GMX was a professional mail provider.

This would also prevent any kind of social engineering attack, like using your security question to reset your password.

Epochtalk is coming soon, and there will be two-factor authentication.
It's gonna make us feel super-safe :D

Yes, GMX is a professional mail provider. That's why I would consider DNS poisoning against them highly unlikely.
If there's really an issue there, it's almost certainly something else.

I just wanted to point out that using xxx@bitcointalk.org to counter password attacks against the forum is probably not such a good idea after all.

my gmx pw got changed again.

I think it's a different person.

he took my twitter (forgot to change email), got it back.

he requested password reset on bitstamp with IP: 198.237.119.18, but didn't log in probably because of lack 2nd factor.

he posted this on twitter:

https://twitter.com/cotta3/status/555443222793572354

https://i.imgur.com/ubTh2XY.png (https://i.imgur.com/ubTh2XY.png)

I should really close the gmx account, but I'm afraid because maybe I missed to change email on some important account...

molecular: Check them all again, and change when needed. You shouldn't be lazy in a situation like this ;)

how to find which sites I used the email-address on, though?

sift through 14270 emails (I copied to local)?

look in my head? (done that)

I hope there is a way to lock/deactivate the gmx account and keep others from registering that particular address for at least some time.

You could filter the emails, Google your email or your username.