Bitcoin Forum

I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

Agreed, also be especially careful trading with people. Even if no one gets hacked, I foresee some people scamming, and then trying to claim they were hacked to waive their liability.

Agreed, also be especially careful trading with people. Even if no one gets hacked, I foresee some people scamming, and then trying to claim they were hacked to waive their liability.

The thing is, how can we actually mitigate that risk? Say someone is trading with me, how can they be sure that a) I'm not hacked and b) the escrow we're using isn't hacked. Especially as the escrows will be the primary targets.

The normal. Signed message via Bitcoin address or PGP.

The normal. Signed message via Bitcoin address or PGP.

I have seen people claiming that their BCT and email accounts are hacked (their passwords were reset). Now it's getting difficult to even trust the old trusted members. Trading will be more difficult if any escrow's account was hacked.

I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

It is not that hard, the users can still sign using their know bitcoin address prove their identity.

That's not the issue but now there might be many users who will claim their accounts as being hacked. Theymos will be having a tough time to recover these accounts and if these users have used their email accounts or bitcoin accounts with the same password, then chances of recovering their account is almost nil.

Yeah I've seen some old accounts just started posting again today after years of not being used :(.

How long would it take for the hacker(s) to get a password from the password hash and salt they stole?

How many accounts could they hack in a given period of time?

There must be a limit on the number of accounts they can access, so I assume they will go for the most useful looking ones and ignore low ranks.

Which ones? Maybe a list should be compiled, though what Quickseller said in another thread will also be relevant that many older inactive members will be likely to return to change their passwords by the email they received from theymos.

There shouldn't be a problem with using escrows and the like, they can sign an address they've used previously. Or verify with PGP. To be honest, before any escrow trade goes through regardless of the suspicious the account could be hacked or not verifying they are who they say they are should always be done prior to the trade.

And, if you want to verify any other member, I'm sure sending them a message requesting a signature with a valid reason wouldn't be a problem for most users.

I've already seen several suspicious accounts which I've noted down mentally.

What needs to happen for security is any accounts that do not have their password reset manually within a week should have their passwords revoked and automatically reset where they can only be recovered with an email being sent with a recovery link to the address on file.

They have a week to manually reset and update their email address. It is very irresponsible to setup an account and lose track of your throwaway email credentials. Any other accounts will be lost unless its a known member who can prove its them to theymos directly.

This would be a good opportunity to clear off many garbage shill accounts as well as they are more likely using fake email accounts.

Its not the end of the world if a few old anonymous accounts get frozen either and is a much better alternative than a bunch of compromised accounts start scamming people.

The hacked accounts make it pretty clear that either the passwords weren't salted,

What hacked accounts?

This. (https://bitcointalk.org/index.php?action=profile;u=25340)
That. (https://bitcointalk.org/index.php?action=profile;u=42942)
Probably more. ::)

This. (https://bitcointalk.org/index.php?action=profile;u=25340)
That. (https://bitcointalk.org/index.php?action=profile;u=42942)
Probably more. ::)

Such slander. MtGox has the best security practices ever.

I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

You cannot assume Theymos is lying and the database wasn't salted. We don't know if the security question was encrypted and salted as well.
Any old accounts compromised likely used easy passwords or easy security questions.

Forcing a password reset where the recovery must happen through email will protect all those accounts unless the user were ignorant enough to use the same password for their email account as here.


Most of those are probably shill accounts... what type of idiot doesn't spend 5 minutes to create an extra throwaway email for security or spam? Any person that doesn't do this and fails to reset in a week deserves to become a newbie again.

I am sure there may be 1-2 anonymous heroes accounts who have to become newbies again. That is a small price to pay for good security.

This. (https://bitcointalk.org/index.php?action=profile;u=25340)
That. (https://bitcointalk.org/index.php?action=profile;u=42942)
Probably more. ::)

I wonder why the hackers targeting those high ranked accounts are coming out as such obvious trolls. Perhaps they deemed them not worthy? I wonder if more accounts were hacked and are going to be sold in a stealthy way.

It seems that the primary target (at least so far) of hacked accounts has been VIP accounts.

IDK. They just happen to be the ones I keep an extra eye on.
Theymos mentioned that weak passwords would require dedicated brute force to be hacked.
I guess that's what the attacker is doing. Obviously going for the most valuable accounts first.

for the first you are just paranoid that he doesnt have a username and that he hasnt posted in some time, if you look at his post history, a few years ago, most of his posts were in the german section, although he speaks english now, if you look closely, it is obviously not his first language, he probably received the email today and decided that he will come back

About the first: the account was originally in possession of a German, who started a service that soon turned into (possibly) the second largest ponzi here at bitcointalk. He claimed to have sold the account to another German, who then claimed to have sold to a Russian. Nobody knows if the original account ever changed owners in the first place. But today, the account came back with a very fluent English speaker, potentially with a Dutch origin. Paranoid I may be, but that does not mean that I'm wrong ;)

About the first: the account was originally in possession of a German, who started a service that soon turned into (possibly) the second largest ponzi here at bitcointalk. He claimed to have sold the account to another German, who then claimed to have sold to a Russian. Nobody knows if the original account ever changed owners in the first place. But today, the account came back with a very fluent English speaker, potentially with a Dutch origin. Paranoid I may be, but that does not mean that I'm wrong ;)

You are next. enjoy.

I reviewed a few of his posts, i wouldn't say his English is  "very fluent" and why did you give him negative trust without being sure he is a hacker?

I'm assuming nothing. Merely laying out the possibilities, so that they could be eliminated, one by one. In other words, theymos is not lying, the passwords were salted, which leaves only one plausible explanation for shitloads of VIP accounts flooding online: The hackers got a lot more than password hashes & emails.

VIP accounts in a forum that's all about privicy, security & crypto? You sure?

Protect all which accounts? The ones posting here now? Or the accounts on the db dumps? Those probably changed hands a few times by now.

If Theymos changes all passwords and drops the security question table and prompts the users to reset via email on file the only vulnerable accounts will be those that have the same password /security question for their email as here and fail to respond timely.

Some of those 80% will still have access to the fake/throwaway email accounts, some wont. It takes 5 minutes to setup a spare email account for security / spam and it only needs to be checked 1 a year to make sure it remains active. Anyone that isn't maintaining these accounts in a password manager is irresponsible and deserves to become a newbie again.

no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email.

I understood you the first time. Who cares if they are invalid. I clearly stated that those users who are stupid enough not to maintain a throwaway email for this exact scenario deserve to become newbies again.

What is worse : a few hero accounts being frozen where the users are forced to start over or a ton of compromised accounts trolling and scamming on this forum?

The choice is clear to me ... hopefully Theymos makes the right decision, otherwise he is choosing usability over security like apple did before fappergate.

It makes perfect sense for a likely compromised account to be trying to dissuade Theymos and others from good security advice.

Whether the number is 50% or 90% , they mostly are comprised of shill accounts so it will be great to purge those.

no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email though that is likely on purpose.

More worried about virus emails  :(

Simple solution: don't open them. I wouldn't click on any email I didn't like the look of especially ones that mention btc.

This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.

Goodbye bitcointalk.

More worried about virus emails  :(

Agreed, also be especially careful trading with people. Even if no one gets hacked, I foresee some people scamming, and then trying to claim they were hacked to waive their liability.

This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.

Goodbye bitcointalk.

Well, I thought theymos should disallow users to change email for a certain period of time.

When will this forum enable Google 2FA? I suppose this will help relieve some worries even certain users may have used relatively weak passwords.

This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.
Goodbye bitcointalk.

Well, I thought theymos should disallow users to change email for a certain period of time.
When will this forum enable Google 2FA? I suppose this will help relieve some worries even certain users may have used relatively weak passwords.

I can see how many people are just going to ignore this ever even happened and are not planning to change their password. Sure, it may be hard to obtain the actual password, but it is not impossible either. I am hoping at least the most prominent users will use reason.

Exactly, a lot of users (people) don't understand how to protect after an hack their account... but they will surely cry sooner or later and say "why my account was hacked,why I can't access on my account, bla bla?". This is the funny thing, in my honest opinion theymos should send also a general PM here in the forum and say "you should change the password, because the forum was hacked... ". I know he sent an email, but a lot of users are using a random e-mail.

Which ones? Maybe a list should be compiled, though what Quickseller said in another thread will also be relevant that many older inactive members will be likely to return to change their passwords by the email they received from theymos.

Yes, it is probable that old users will return to change their password just for precaution, but posting nonsense from inactive accounts for years? That should ring a bell.