Bitcoin Forum

I have a wallet on blockchain.info with address 1AeuWyXeQvdG1eDqht1hAc3w4t2duPU83G. Today i woke up and see that most of my bitcoins have gone with this transaction
https://blockchain.info/en/tx/c84f9ea080b9e6aad84af6daa7c6b018c62caf9615aa583ccfe5ead6228b3f7c

I never did it myself, so somebody guessed my 15 letters password and stole my coins, i think in one bunch among with 108.8BTC from other blockchain.info wallets.

Be careful!

Dude, the link is in Russian, not every body understands Russian (I do :-)).

Sorry for your loss.. So it seems bitcoin has gathered a lot of hacker attention.
It seems there is no need for goverments to waste millions to try to destroy bitcoins, hackers are doing it for them for free.
What Operating system were you using?

And change /ru/ to /en/ for english version

My system is W8 x64, chrome browser. I dont think t have some troyan or keylogger.

Blockchain Wallets with weak passwords get "hacked" all the time.

Did you use a weak password? 1 or 2 regular word and a view numbers for example?

Sorry for offtopic, but... are you from Tver?

I suggest that next time You use the LastPass plugin for Chrome and a 100 character password. That's what I do.

Yes, now i think my password may be weak, it was some non obvious words and i hoped it was difficult to bruteforce 15 letters.

I am not from Tver.

Looks like possibly related to whiskers75?

Yes, whiskers75 address 1whiskD55W4mRtyFYe92bN4jbsBh1sZut is somehow related. It is also here - https://bitcointalk.org/index.php?topic=173134.0

And the two factor email auth? Dont you use that?

Nope, was only one password. Its not a big loss for me, i collected some free bitcoins from various sites that give them, so was not especially worried about security.

me too, how??

how do they even get a copy of the wallet?  and a 15 character pass is pretty hard, unless you use a movie title, or  famous quote.   several random words is hard to beat, or am i wrong on that?

In my case words were not random, but it was not some recognizable or having some sense phrase.

yeah then its impossible it was hacked cause it sounds random enough.  was it something like   dogpeesinfamilypot?  or samgoestothedrycleaners?

that might as well be as random as it gets.  and 15 char is a lot to brute force.  some one had ur key strokes and clip board with the link to blockinfo.

otherwise we are talking man in the middle, and thats just not very likely.

I'm guessing wallets weren't encrypted

My passphrase had some short real words, not obvious, with no sense, but arranged in some simple algorithm. Now i think it could be guessed.
Another way could be not hacking password, but something like stealing session cookies, my bad i dont know much about such things.

No way the passwords of that many ppl was guessed

did you click any links in the btc-e chatroom, or other bitcoin chatrooms while logged into blockinfo?

use firefox, use noscript

Yes, that could have happened.

BINGO!  You caught a javascript keylogger, or a script the performed a cross site scripting attack, pulled your wallet out of the jscript running while you had blockchain.info open in another tab.

when logged into a bitcoin site that contains your balance run FF with NoScript addon installed (set it to bans scripts globally), then "allow" the ones that are needed for gox and blockchain info, all others shall be banned. Bitcointalk.org is safe too.  Your banking site scripts are ok.  google.com is okay and might need to be allowed too.  everything else by default will be banned.

Use that browser only for your financial stuff.  Browse in chrome for everything else.  Consider linux or os x.  you can buy a $50 external usb hdd and install some kind of linux on that (or repartition your boot drive if your good at stuff like that).  Just run bitcoin on that linux install and run all the security patches.  Use FF on that, just like i told you.

Now that you mention it, i just checked my browsing history
The suspicious websites i visited in last week:

These are the domains i visited from last week which i don't instantly trust, Some of them are well known btc/ltc services...
Though my blockchain wallet wasn't touched and i still have my 0.0000105 btc (!) but i lost access to my btc-e account ..
Could one of these install a keylogger on my computer? i don't think so
Edit: Also, i'd like to include that i use lastpass autofill feature to login, i don't think a normal keylogger could log lastpass logins.

Would have to be XSS [or other malware].

I guess if it was a script after reloading os and clearing browser cache it must be gone?

Perhaps it is also possible that you visited a cloned website with a slightly different Domain? This kind of scam happens all the time with Paypal and even student loan websites.

No, sure it was original site.

Yes, I can confirm being hacked. Well, I have 0.1 BTC in Pyramining, so I just need to hit the owner up for that.

Nobody has their password 'hacked'. You get exploited through a 0 day through Java or Flash in your browser, or through a file download, and then the program just sits and waits.

- Never re-use your blockchain password for anything else. That's just silly.

- Enable 'click to play' on all browser plugins. There is no pure JavaScript exploit, only browser plugin exploits. Enable browser plugins by default = you're hacked

- Enable one time password 2 factor auth to your PHONE. Not your @#$% email. That's completely redundant. If someone has access to your machine then they have access to the email. No 2 factor to your phone = you're hacked.

If anyone is hit by this then the malware is still going to be on your computer so you need to nuke it from orbit or buy a new computer.

A XSS attack on Blockchain.info is possible but would be WAY more serious and so bad to the point of me thinking it shouldn't be possible.

The only other possibility is a compromised browser extension (chrome app) but it's slightly far fetched.

Flash and java were disabled.
Password was unique.

Pretty sure it's Java now.

hmm? Was notifications enabled?

I just recently (a week or so ago) wiped and reinstalled Debian, haven't logged into my blockchain wallet on my PC since then... and still got my fraction-of-a-coin swiped. Not sure I buy the XSS explanation.

No, in my case only security option was password.

I know someone personally whose blockchain.info funds ended up directly as a txin to this transaction, who wrote me an e-mail today complaining that his 4 or so BTC disappeared.

From the looks of the transaction, one of the txin's belongs directly to him, and none of the others are part of his wallet.  Funds went straight from his address directly into this combined transaction.  In other words it looks like his private key was stolen right out of his account, rather than someone sending funds directly from his account using the web UI.

I wonder if he had a weak password and the encrypted database of blockchain.info wallets has been compromised?  Normally with a keylogger you'd expect somebody to go and log into accounts one by one and steal funds by hand as the accounts are discovered.  The fact that this is a huge combined transaction suggests to me something more sophisticated than that!

EDIT/FOLLOWUP:  I asked him if he would be willing to share his password with me for me to assess its strength against brute force hacking.  His password was 14 characters but, in my opinion, would have been vulnerable to a dictionary attack.  Makes me think somebody out there might have stolen encrypted wallets and is bruteforcing passwords.

ALSO: I have a small amount of coin in a BlockChain wallet with a deliberately weak password.  I don't have the wallet identifier handy, but will soon.  Will be able to check.  It's a wallet I don't use much, so if it's still safe, it could indicate keylogger is more likely than database breach.

I agree, hacker definitely stole privkeys from blockchain addresses and used them to combine theft in one transaction.

Did the ones that got hacked have an easily guessed alias?  Dictionary attack on aliases would give an attacker a bunch of encrypted wallets to offline brute force.

Not sure if it's related but I keep getting texts with my current OTP login code for blockchain when I'm at work or otherwise not even accessing the site. Typically it will only send those when it sees someone trying to access your login credentials.

Has anyone with 2FA been compromised?

I use BlockChain.info all the time but my advice is:  Keep Bitcoins On Paper Wallets!

Blockchain.info is great for transacting, but I simply don't trust web wallets.  For trivial ad-hoc stuff, I will import a paper wallet, do my business, and send any change back to another paper wallet.  Nothing against BlockChain.info, in fact I like that they make it so convenient to do what I want to do the way I want to do it (such as scanning bitcoin addresses thru webcam)... it's just... in my view, insane to leave bitcoins you want to keep, on a web wallet.

My alias was same as BTC-e nickname.

My understanding is that blockchain.info will vend your (encrypted) wallet given only a username. Because it uses JavaScript for all its crypto and JavaScript is very slow, the KDF is 10 rounds of SHA1 which is extremely weak.

If my understanding is correct this means anyone who can guess usernames (not passwords) can brute force the encryption, potentially at very high speeds using their GPUs. I haven't seen any software that can do that and don't know enough about GPU programming to know if it's easy to check the resulting keys for correctness, but certainly the KDF in use is not any obstacle to brute forcing. And unfortunately it cannot be, because the nature of blockchain.info is it runs entirely within the browser.

If you have an (unhacked) b.i account, I'd suggest downloading the current beta/snapshot release of MultiBit (0.5.9), creating a new wallet, encrypting it and then sending your money to it. Don't import your b.i wallet for obvious reasons, you'd need to move the money with a real transaction. MultiBit is using a very high number of scrypt iterations that should be a lot more robust against brute forcing.

After my bitcents were stolen, I turned on logging in my account and didn't bother changing my password. Whatever happened, somehow, SOMEBODY managed to get my blockchain password and has been having a snoop through tor.

Today 01:03:15   get account settings   37.221.170.49   Mozilla/5.0
Today 00:06:41   get account settings   204.124.83.132   Mozilla/5.0
2013-04-12 21:43:37   get account settings   37.130.227.133   Mozilla/5.0

I was one of the initial victims.  Subsequently I ran multiple malware scans, changed my password, enabled two factor authentication on my Blockchain wallet and installed no script.  I just had my account emptied again.
Logging indicates it was through TOR.
Update:  At this point, I am just completely abandoning the wallet and no longer going to access my new wallet from the potentially compromised computer until a full system wipe is performed.

I hope to hear some news from piuk about this topic ...

A friend of mine had 7 coins taken from her blockchain wallet.  Like others have reported, oddly the thief left 1 BTC behind.

  https://blockchain.info/tx/df97a2c8722d8980fe87d9696a1bc176cdb818a8fbac253b2c7a2dd315cf4393

I suspect her password was brute-forced, it wasn't particularly strong (but not stupidly easy either).

The facts:

• Not logged on even once to blockchain.info since wallet was setup last October.  So it's not like the password was keylogged or anything like that.
• Wallet backup was mailed to her yahoo.co.uk email last October.
• No wallet alias was used.
• The transaction that stole the coins returned the change to the original address.  This is typical blockchain.info behaviour.  So I'd guess the thief used blockchain.info to send the coins (rather than crafting their own transaction from the private key).

Does anything above match others' experiences with blockchain thefts?  How can the attacker get hold of the wallet URL?

My understanding is that to take coins, a thief needs both a wallet URL and the password.  What I don't understand is where they are getting the wallet URLs from.

I have only four ideas:

• Either blockchain.info's database of encrypted wallets has been stolen, or
• Her yahoo.co.uk email has been hacked, or
• Someone inside yahoo that works with email there has been trawling for emailed blockchain URLs or backups
• Web browser malware is searching bookmarks for wallet URLs (I've not yet confirmed she had a bookmark for it, I suspect she did)

Any ideas or other ways of pulling this off?

Browser history check?

Does she have an alias set up?

I too have noticed several unauthorised attempts at my account and was wondering how this was possible?
I used to have a similar forum username to my blockchain.info account but have since changed it.

What is current advice? Should I also start a fresh and create a new account or is the change of account name and the creation of a new set of BTC addresses sufficient?

The Bitcoin ecosystem seems to be on a full scale war footing at the moment.  :o

My friend had no browser bookmarks, and there is no blockchain url at all in her browser history.  So to get the URL one of the following must be true:

• Her yahoo email is compromised
• Yahoo have a crooked employee trawling email for URLs
• blockchain.info has a crooked employee
• blockchain.info's encrypted wallet database is out in the wild

I see no alternatives.

I think your friends computer is hacked, not blockchain.info. If you read how their system works (and it's open source) they don't have a copy of your unencrypted wallet. They don't even have a copy of your password (hence if you lose it, you're screwed). The encrypted wallet sits on their server and then your computer decrypts it in the browser.

It's still possible to 'hack' this scenario, but from all angles it's 99.9% that the fault lies somehow with your friends computer and not blockchain.

I think that's unlikely - the URL doesn't exist on her machine - not in browser history, no bookmark etc.  She's never visited it since setup over 6 months ago.  I think the URLs have been obtained somewhere else, likely blockchain.info itself.

I hate to call it... But the pattern seems very obvious.

Blockchain.info is under a ddos attack - they are unsure how their server ip was leaked.
Multiple wallets with strong-ish passwords have funds disappear.
The funds disappear by access to the private key.

Im not familiar with the exact workings of the blockchain wallet, but I would be very inclined to move the funds to a paper wallet for the near term until this is sorted out.

It's up and it's working fine. Before spreading FUD you should read the source code behind Blockchains open source software. If they were truly "hacked" it means only the inconvenience of you having to load your wallet backup (You DO backup right?) into your own computer with your own client.

So it's not the end of the world by any means. Even in a total meltdown you still have your funds- and they don't. Thats how it works.

+1

+1