Bitcoin Forum

It appears someone got into my blockchain.info account and transferred coins out of it just a few minutes ago.

I have 2 factor enabled.  Was logged into btct and bitfunder at the time (but not blockchain.info)

Any help would be appreciated.

https://blockchain.info/tx/1174e27cd6de043ec081a68b52f455ba1548f35949c2ba2ddd3abc60f5a29840

Help?
Just ask blockchain.info for ip or any info they may have

Looks like someone got backup copy of your wallet, from your email.. maybe?

I do have the blockchain info wallet backup sent to my email.  Even if they had this, would they be able to extract the private keys?  I still had 2FA on. 

Yes they can empty your wallet without doing login on blockchain.info wallet by importing your backup wallet into any client that supports it.

Ok, assuming they didn't get into my backup wallet file, what other security holes might I have?

Your pc might be infected. Download malwarebyets (http://www.malwarebytes.org) and scan it .
But still it's not easy to bypass 2factor authentication.

Ps: It was email based  2Factor authentication or device/cellphone based?

Email one is useless if your pc got infected or someone got your emails password.

2 Factor was on my cellphone.  I'm on a mac. 

Then there is no other way to steal coins except getting wallet backup from your mail.

I am a big advocate of paper wallets.  I have never heard of anyone having a single bitcoin stolen from a paper wallet.  Print at bitaddress.org.

I am sorry to hear of your loss!

Hi Mike,
I do have Armory set up on an unconnected ubuntu laptop, and watching-only wallets on my machines connected to the internet.

Yes, it's an annoyance to lose the coins, but what I'm concerned about is understanding how this happened, because I thought things were pretty buttoned up. 

The coins were literally sitting in the online wallet for just a few hours, as well.

Given that I had 2FA on, was running on a mac, was logged out of the blockchain wallet at the time....

At this time, one theory is that someone got into my email and pulled the private key from a wallet backup file (possible, but not sure how likely that is).

Willing to hear other theories.

I sent an email to info@blockchain.info to get more info on the transaction.
   

If he got your backup wallet it's easy to import in electrum or blockchain.info https://blockchain.info/wallet/import-wallet and spend money.

but  main question is, how he hacked your mail?

Are you using some common/unsecure password or used same password on some other unknown/new website?

If you are using gmail, you can check ip address of recent logins.

its easy as shit to do, but he would have to know your blockchain.info account password, which he probably did if he was ablle to get into your account already.

just yesterday, i used an old wallet.aes.json backup to retrieve coins from my stolen laptop.

a little backstory: i made my first bitcoin wallet on blockchain.info, then exported the addresses to the bitcoin client on the laptop. the computer was stolen from my home last week. yesterday i found an old wallet back up and imported it into a new wallet at blockchain.info. it prompted me for the password to unencrypt the wallet, then for the secondary wallet password, then it asked me to prove i was human by solving a captcha, then bam i was at the login screeen ,where i logged into my new wallet and easily recovered the .4 btc that was in my bitcoin wallet on my laptop.

i'm sure the hacker did the exact same steps to steal your money.

I checked the ip address of recent logins.  Everything seems to be in order.

I don't have 2FA set in gmail, but my password is fairly strong.

So if it's not that, can it be some type of java browser exploit?

Did blockchain.info generate this key or was this a brain wallet?

I'm not seeing any unusual login activity to my gmail account so assuming that wasn't the case, I'm still a bit baffled how they could have gotten around the 2FA.

I'm pretty sure I was logged out.  But let's say I was still logged in to the browser.  What are the potential points of attack there?

It was generated by blockchain.info

Well grab a av that's available for mac and scan your pc, rats are available for mac too and blockchain.info stores a copy of wallet in your browser's storage .

E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.

I am super paranoid about theft.  The only bitcoins I ever keep online are ones I plan to lose.

I use BlockChain.info myself sometimes, but the only thing I will do is import paper wallets, spend whatever I'm going to spend, and send the change to a fresh paper wallet, so my BlockChain balance is zero.  Their webcam QR code scanner makes paper wallets easy.  And this is only for small ad-hoc transactions.

If it's for any decent amount worth stealing, I will construct the transaction completely offline, get the raw hex for it, and then use a USB flash drive to introduce it to the network later (such as through Blockchain's handy https://blockchain.info/pushtx).  No sense in taking any chances.

This.  So much this.

So many people don't realize that nearly every email they send bounces around the internet completely unencrypted in plaintext for hackers to read.

If your password protecting your blockchain.info wallet was weak, then a hacker could capture it as it travels from blockchain.info to Google, and then check it against a rainbow table.  The 2 factor is only for logging into the website to receive the encrypted wallet.  Once they've got the wallet, they don't need the 2FA at all.

My best guess would be a password that exists in a rainbow table, but I suppose there are other possibilities.

Virus scans came up pretty clean ... one trojan Troj/JSRedir-BV

However, I did look back in my email history.  My last wallet backup was May 28th.

Also, I did get a few "Authorize log-in attempt" warnings emailed to me on July 15th and July 4th.

"An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:

Time: 2013-07-15 07:55:45
IP Address: 87.118.91.140 (Germany)
User Agent: Mozilla/5.0 "

The location does appear to match the location on the transaction in blockchain.info:
https://blockchain.info/tx/1174e27cd6de043ec081a68b52f455ba1548f35949c2ba2ddd3abc60f5a29840

I ignored the warning at the time, since I had 2FA on.

The stolen coins have now been moved.
https://blockchain.info/address/15B9RyqJGrJcqKmyMr8QUEocif9ATYuXBP

One trojan isn't pretty clean.

Depends. Whenever I do a virus scan I end up with dozens of OMFG messages. They are all Windows viruses and trojans from the 1990s, sitting in some piece of spam in my email archives that I didn't bother deleting 15 years ago. I consider that clean. *shrug*

Thanks for everyone's input on this.

The prevailing theory seems to be that the wallet backup file sent to gmail was compromised.

The only other fact is that I did have an unauthorized login attempt on my blockchain account a few weeks back.

How good was your wallet password?  Could you post a similar dummy password here?  Thanks.

8 letters and 2 numbers

Unlike access to a computer system or a website where the administrators can simply not accept logins more more than once every two seconds and slow down brute force hacks, if someone has your wallet, they can sit there all day running automated scripts against it.

Someone using a desktop PC could get an 8 letter, 2 number password in a few days. Someone with more substantial processing power? A couple hours. The NSA? Probably less than a second.

My life became much easier when I abandoned memorizing passwords and started using a password manager. I no longer have passwords shorter than 17 characters, and most of them are between 23 and 60 characters long. All with mixed case, variable quantities of numerals and punctuation, and wherever the systems allow it I include characters from multiple languages in the high unicode registers.

&}vbrشJh7ç1SφH@NmMfIu/^Cyf4""Auzpה=)XЯQ7v«6AZ0zhɣ

…isn't a half bad password, except that now it's been posted to a public forum.

Edit to add: https://howsecureismypassword.net/ (https://howsecureismypassword.net/) is a fun place to test out combinations. Best not to put actual passwords in there, of course. According to that site, the above password would take a desktop PC 74 untrigintillion years to crack. Frankly, I'd have to look up what an untrigintillion is but I think it involves a whole mess of zeroes.

How does the wallet backup work?  Is it encrypted with that 8 letter 2 number password?  What hash does it use?  Post the hash of your password and I bet someone finds it in a lookup table.

PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.

PM'd

Some search results for Troj/JSRedir-BV:
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSRedir-BV/detailed-analysis.aspx
http://www.pc1news.com/news/1512/ebay-spam.html

Looks like something that appeared back in 2010.
My guess is that you accessed some page with malicious javascript embedded, and somehow the thing managed to stay in memory until your next login to blockchain.info, where attackers could get the password and the encrypted wallet. Or it may have been a trick using iframes, not so sure if that's possible and how it works.
Malware that replaces the JS files executed by the browser when on the blockchain.info wallet could also do it (since the thing runs on lots of JS), but from what I remember blockchain.info implements file signature checking to prevent tampering (or am I confusing with a browser extension that actually does that?).
Or you simply got tricked into logging in to a blockchain.info site that wasn't actually the true one... but that wouldn't get them the encrypted wallet, and your username and password alone wouldn't be enough because of the two factor auth thing.

A lot of phishing has been going on recently, perhaps you were a victim?

It looks like it's AES encrypted -- I bet your password was already in a table somewhere.

Yes it's AES encrypted.  If you could PM me a table location, I can do a lookup.

I've never actually found one, I should go searching one of these days.

Many reports on hacked macs today. I doubt your mail was compromised.