Thank you all for the info! Please keep posting the details if you were hacked. Bitcoin transactions can be tracked since one cannot send bitcoins from a different address than the address used to receive them. What if we would build a database with all the addresses to which stolen bitcoins were transferred, and not accept transactions from these addresses? A community-driven www.bitcoincop.com?If none of us would accept transactions with "tainted" addresses in the chain, stealing coins would become pointless. This has been suggested before, and not a good idea as it can never be voluntary. If you make a 'voluntary' system of blacklisting coins, that means you indirectly force EVERYONE to adhere to that system, because otherwise you may accept coins that you cannot spend anywhere later. Not to mention how coins get mixed up in exchanges etc. |
|
|
|
Sorry to hear this.
But people, how many times were you advised on this forum to consider counterparty risks, trust no one, encrypt your wallet and hang on to it?
Leaving 100k USD worth of bitcoins on some amateurish website... I am speechless...
The 4000 bitcoins were not from one account. It seems to have been the total of funds that was collected altogether, from all MyBitcoin accounts that were reusing passwords. Which again raises the question why. The. Fuck. This. Wasn't. Detected. |
|
|
|
You were not the only one. It seems one person cleaned out all of MyBitcoin (at least the accounts that reused passwords) and gained 4k in the process.
4000 BTC or $4000 USD? Please tell me it wasn't really all of your coins. I can't make out what that address is doing. It looks like it had thousands in it, were they all yours?
4000BTC. That address it went to is the collection address of all of the stolen Bitcoins - it seems someone wrote a script to automatically logon to all MyBitcoin accounts with known passwords, and withdraw all coins to the same address. Why this was not caught by MyBitcoin as being potential stealing, is beyond me. |
|
|
|
|
You were not the only one. It seems one person cleaned out all of MyBitcoin (at least the accounts that reused passwords) and gained 4k in the process.
|
|
|
|
Posting this for a friend... he does not have sufficient posts to post in here yet. It basically searches back through the blockchain (using Block Explorer) to find the earliest trace of an address (by following the first address link on every page). <?php
/*
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.
*/
/* This program is free software. It comes without any warranty, to
* the extent permitted by applicable law. You can redistribute it
* and/or modify it under the terms of the Do What The Fuck You Want
* To Public License, Version 2, as published by Sam Hocevar. See
* http://sam.zoy.org/wtfpl/COPYING for more details. */
/* Questions? ask Skullby <skullby@hush.com> */
error_reporting(0);
ini_set('display_errors','Off');
//$startHash = "166inTrZD3G9SMKRcsaRnvFcCbeSrKoyxL";
$startHash = "18ukPi1oAcLau91YfpTkXY1EuZrYxZyUBx"; // a hash I found, and wanted to trace backward in time. :)
getNext($startHash);
function getNext($hash) {
if ($hash == "") {
echo "\ndone\n";
die;
}
$handle = fopen("http://blockexplorer.com/address/".$hash,"r");
$contents = '';
while (!feof($handle)) {
$contents .= fread($handle, 8192);
}
fclose($handle);
$lines = split("\n",$contents);
foreach ($lines as $key=>$line) {
if ($line == "<td>Received: Address</td>") {
$found = 1;
}
if ($found == 1 && strstr($line,"<li><a href=")) {
preg_match('/<li><a href="\/address\/(.*)">/',$line,$matches);
echo $matches[1]."\n";
sleep(2);
getNext($matches[1]);
}
}
}
?> |
|
|
|
well ... i know companies that don't give sequential numbers starting at 1 just to hide real numbers.
You mean companies that care about their customers and don't use amateur college-level PHP coding full of security holes? Is that message implying that PHP is insecure, or am I misreading it? PS: College-level? I was 13 and I released a perfectly secure Club Penguin Private Server, with multi-pass SHA256...  PPS: Don't do the above unless you like angry Disney lawyers I'm saying (current) college-level PHP coding is unsecure. It's a curse of the software industry, that nobody adds security unless it's been proven to be required. Usually the proof of requirement is pretty damaging. I suppose the quality level of mtgox coding is on par with their ability on html/css/graphic output. Does nobody consider that some (PHP/Web) CMS projects have millions of lines of code and years of user testing on millions of installations and still identify and fix security holes? And people never use those (in this community), instead they cowboy-code their own low complexity implementations? True but there is a cost to everything. Not everyone can afford to hire 15 php master coders with 20+ years experience and PHDs in computer science, ya know! You don't realize how many fees Mt. Gox has been raking in? |
|
|
|
I don't know if I've lost anything, because I can no longer access my mybitcoin.com account. They have a notice up saying that if your user name and email were the same as one found in the MtGox leak they reset your password, and "We will send you a new one to your email address".
Haven't got it.
Ironically I had already reset my password in response to this mess.
So, am I out my 3.0 BTC?
'Cuz I'm pretty poor right now, and ~50 bux would have been quite useful.
Try contacting MyBitcoin about it from the email that is registered to your account. |
|
|
|
While I have to give them credit for responding to the Mt. Gox leak this quickly, there is no way for people that do not work for Tradehill to review the code.
Unless there is some form of insurance against lost funds, I believe it is a bad idea to use a closed-source exchange platform, as there is no way to check if it is REALLY safe, and no guaranteed refund if it turns out to not be safe.
Open source is a double-edged sword. On the one hand, it lets people review the code to make sure it is secure. On the other hand, it can help hackers find vulnerabilities that they can exploit in the future. Some things are best left hidden... Absolutely not. Security through obscurity is the worst possible security model there is, *especially* for something like Bitcoin. Vulnerabilities will be found, regardless of whether your code is open or not. Yes, it may be easier to find them if it is open-source, but seeing as there is a financial incentive in breaking into an exchange... it being harder to find vulnerabilities will stop "friendly pentesters", but it will not stop people trying to break the system for personal gain. While I have to give them credit for responding to the Mt. Gox leak this quickly, there is no way for people that do not work for Tradehill to review the code.
Unless there is some form of insurance against lost funds, I believe it is a bad idea to use a closed-source exchange platform, as there is no way to check if it is REALLY safe, and no guaranteed refund if it turns out to not be safe.
Which exchange would you recommend people use? Britcoin uses an open-source platform, and I believe there is at least one other exchange using this platform. I am not exactly sure which, this can probably be found on the wiki. |
|
|
|
|
While I have to give them credit for responding to the Mt. Gox leak this quickly, there is no way for people that do not work for Tradehill to review the code.
Unless there is some form of insurance against lost funds, I believe it is a bad idea to use a closed-source exchange platform, as there is no way to check if it is REALLY safe, and no guaranteed refund if it turns out to not be safe.
|
|
|
|
I got a gmail notification about account security compomised, meaning someone attempted to password guess their way through google, meaning my shit was in the leak.
Thankfully I use a different password for erryting.
I believe a Bitcoin community member that is working for / related to Google, has flagged all the Gmail accounts in the leaked database, to prevent breakins. |
|
|
|
And what about the users who had their accounts compromised in the past few weeks or so?
Many were trolls who lied, IMO. A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC. I have had $200 vanish from my account. I have turned my PC upside down, including manual analysis and found no malware of any kind. I had a 20 character alphanumeric mixed case KeePass-generated random password. I was not a victim of the CSRF exploit as I could not reach the Mt. Gox site (thus wasn't logged in) at the moment the funds were stolen. Someone could easily break such a password by using a service like Amazon AWS - and it would actually pay off as you are trying to compromise accounts on a financial service that holds money. Not to mention that miners have hardware that is specifically suited for hashcracking. Now tell me with a straight face that this was not related to the database leak. Lol at a guy who is in LulzSec complaining on here about losing $200. To be honest I think you have bigger things to worry about than losing $200 Sven. You losing your money has given me much Lulz! I suppose you must approve of that! There will also be much Lulz when you are arrested by your local police force.  http://lulzsecexposed.blogspot.com/2011/06/joepie-doxed.htmlYes, because everything you read on the internet is absolutely and completely true. Do some research before you claim things. I am not a part of Lulzsec, and I'm not involved in what they do. If you had actually read a bit *more* than just one single blog, you would have found that the supposed "Lulzsec channel" was not actually a Lulzsec channel, and that the dox and/or information on that site are grossly inaccurate (Barrett Brown a part of Lulzsec? REALLY?) Get a clue before you shout. I've read more than that blog, and I realise the logs weren't from the LulzSec channel. However, the logs show you assisting them, no matter what channel it's from. The dox on there might be bullshit (other than yours) but the logs are genuine, regardless of the channel. You might not be in the main crew, but you're in deep with those fucks. You're a disgusting little cunt and I'm glad you've got even a tiny portion of what's coming for you. Your buddy Sabu hit the FBI. Do you know what that means? He's going to get caught. As soon as they catch him, the American's are going to try and extradite you under RICO laws. You've been seen on IRC handling their money and the Blockchain will confirm this. Under RICO legislation, that's enough to make you complicit. You better hope and pray that the Dutch government doesn't roll over and extradite you. Either way you've got a tough autumn and winter coming up. You've bitten off more than you can chew here, son. I'd be very, very scared if I was you. Assuming, assuming, and more assuming. It would be nice if you kept assumptions, personal attacks, insults, and fearmongering (oh, how original) off these threads, and actually focus on doing something constructive. |
|
|
|
And what about the users who had their accounts compromised in the past few weeks or so?
Many were trolls who lied, IMO. A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC. I have had $200 vanish from my account. I have turned my PC upside down, including manual analysis and found no malware of any kind. I had a 20 character alphanumeric mixed case KeePass-generated random password. I was not a victim of the CSRF exploit as I could not reach the Mt. Gox site (thus wasn't logged in) at the moment the funds were stolen. Someone could easily break such a password by using a service like Amazon AWS - and it would actually pay off as you are trying to compromise accounts on a financial service that holds money. Not to mention that miners have hardware that is specifically suited for hashcracking. Now tell me with a straight face that this was not related to the database leak. Lol at a guy who is in LulzSec complaining on here about losing $200. To be honest I think you have bigger things to worry about than losing $200 Sven. You losing your money has given me much Lulz! I suppose you must approve of that! There will also be much Lulz when you are arrested by your local police force. http://lulzsecexposed.blogspot.com/2011/06/joepie-doxed.htmlYes, because everything you read on the internet is absolutely and completely true. Do some research before you claim things. I am not a part of Lulzsec, and I'm not involved in what they do. If you had actually read a bit *more* than just one single blog, you would have found that the supposed "Lulzsec channel" was not actually a Lulzsec channel, and that the dox and/or information on that site are grossly inaccurate (Barrett Brown a part of Lulzsec? REALLY?) Get a clue before you shout. |
|
|
|
And what about the users who had their accounts compromised in the past few weeks or so?
Many were trolls who lied, IMO. A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC. I have had $200 vanish from my account. I have turned my PC upside down, including manual analysis and found no malware of any kind. I had a 20 character alphanumeric mixed case KeePass-generated random password. I was not a victim of the CSRF exploit as I could not reach the Mt. Gox site (thus wasn't logged in) at the moment the funds were stolen. Someone could easily break such a password by using a service like Amazon AWS - and it would actually pay off as you are trying to compromise accounts on a financial service that holds money. Not to mention that miners have hardware that is specifically suited for hashcracking. Now tell me with a straight face that this was not related to the database leak. Maybe I was mistaken, and sorry about your loss of money. I wish I knew you in the real world, so then I'd know for certain your story is true. I'm fairly easy to verify as being a real person. Google knows all etc. |
|
|
|
Screw MtGox, moving my money to Tradehill. Used code TH-R15720 when signing up to get reduced fees.
How do you know Tradehill is any more secure than Mt. Gox? Quite a lot of people using this opportunity to have people flock to Tradehill (which has no guarantees of being secure either), conveniently including a referal code (which smells a lot like referal spamming.) |
|
|
|
And what about the users who had their accounts compromised in the past few weeks or so?
Many were trolls who lied, IMO. A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC. I have had $200 vanish from my account. I have turned my PC upside down, including manual analysis and found no malware of any kind. I had a 20 character alphanumeric mixed case KeePass-generated random password. I was not a victim of the CSRF exploit as I could not reach the Mt. Gox site (thus wasn't logged in) at the moment the funds were stolen. Someone could easily break such a password by using a service like Amazon AWS - and it would actually pay off as you are trying to compromise accounts on a financial service that holds money. Not to mention that miners have hardware that is specifically suited for hashcracking. Now tell me with a straight face that this was not related to the database leak. |
|
|
|
|
And what about the users who had their accounts compromised in the past few weeks or so?
|
|
|
|
Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.
Change your passwords now.
I told you so
As I said, there is no use to change your password if it will be hacked again. What just happened is just not serious. It's such a fucking joke I can't believe it. I would recommend to get out of there and go somewhere else. If those people can not secure their web server, they should be responsible for it and assume the consequences. I was not just talking about Mt. Gox password, but passwords everywhere. Judging from the few passwords that were posted (cracked) on Pastebin as well, a lot of people are reusing passwords. Hey hey… I believe people at MTGOX are little stupid kids. Do not change your password. Just delete your damn MT GOX account and go find a more trustworthy site. I've just downloaded that CSV file with all the informations, I can't believe it. Mt GOX IS NOT SECURE. Mt Gox is a fucking security hole and you'd better get out of there quick. For instance, try Trade Hill. Nice referal link spam, bro. Also, personally I would advise people to use an exchange that runs on an open-source platform. Tradehill (and most other exchanges) are just yet another proprietary platform of which you have no guarantees regarding security. You can not look through the code (noone can, really), and will have to blindly believe that they can not be compromised. |
|
|
|
|
Show Posts
