Just got hacked and lost 65 bitcoins on bitdaytrade.com

[dopamine]

Looks like my account got compromised and I lost 65 bitcoins, I'm waiting for a reply. It was strange when I seen a request for a reset for a password, when I didn't even request that, knowing that something is up and I go home and look @ email and it says that a request for a withdrawal has occured 24 mins ago, when I never request any withdrawals. Now what?

[casascius]

Change your e-mail password for starters...

[dopamine]

I changed my password on my email that is associated with that account, but whoa I'm amazed how this happen thank god it wasn't more than 100 bitcoins and I will take more precaution and maybe format my PC change all passwords. You can tell that bitcoins will be worth alot more than 30 bucks just for fact that people are out there trying to hijack accounts. Security of accounts and wallet needs to be in check specially if  the price of bitcoins is worth more than it is now....

[kiba]

Did it have 2 factor authentication?

[dopamine]

yes it did but I never enable that feature, and I sad that I never used it

[pekv2]

https://lastpass.com/
http://keepass.info/

And as always, I recommend use a strong password and never use the same password for 2 or more accounts.

Lastpass encrypts all your data on your pc or mobile device before lastpast sends off it off to their servers and you only hold the key "master password" to all your saved passwords, notes and etc. I find this addon - application the best imo.

Keepass, is all saved encrypted with one master password on you pc. No cloud servers or nothing. If you use keepass, backup your file in a truecrypt container file on a cloud server like dropbox or as wuala encrypts data on your pc before it gets sent to wuala servers.

These are technique everyone should exercise.

[kiba]

yes it did but I never enable that feature, and I sad that I never used it

You should!

[Stephen Gornick]

I'm starting to wonder if instead of people's systems or e-mail accounts getting compromised that actually what is happening is that there is sniffing on the wire occurring.  

Presumably you received an e-mail previously from BitDayTrade (e.g., the initial confirm your account).

So let's say an evil admin at the hosting company where BitDayTrade sends e-mail from simply sniffs for email traffic (SMTP is sent clear text) and harvests the account e-mail addresses.

Then, after giving sufficient time for the account to become funded, fires off a "recover password" action which sends out an e-mail.

The admin sniffs the SMTP traffic and gets a link to reset the password.  Login, witdhraw, and done.

The sniffing is passive, so there would be little in the way of footprints.

The revcover password action and eventual login can be done from Tor, so there's no trail.

Plausible?

Or better, why are Bitcoin business architects creating this security vulnerability or allowing it to persist?  These links for regaining access to an account are like bearer instruments.  Whomever has access to the link has access to the account and all funds it contains.  Restricting withdrawal for at least a day after a password change should be standard practice, for one thing.

[pekv2]

I'm starting to wonder if instead of people's systems or e-mail accounts getting compromised that actually what is happening is that there is sniffing on the wire occurring.  

Presumably you received an e-mail previously from BitDayTrade (e.g., the initial confirm your account).

So let's say an evil admin at the hosting company where BitDayTrade sends e-mail from simply sniffs for email traffic (SMTP is sent clear text) and harvests the account e-mail addresses.

Then, after giving sufficient time for the account to become funded, fires off a "recover password" action which sends out an e-mail.

The admin sniffs the SMTP traffic and gets a link to reset the password.  Login, witdhraw, and done.

The sniffing is passive, so there would be little in the way of footprints.

The revcover password action and eventual login can be done from Tor, so there's no trail.

Plausible?

Or better, why are Bitcoin businesses architects creating this security vulnerability or allowing it to persist?  These links for regaining access to an account are like bearer instruments.  Whomever has access to the link has access to the account and all funds it contains.  Restricting withdrawal for at least a day after a password change should be standard practice, for one thing.

That is crazy if it is plausible. Quite frankly, it scares me when I read this.

[John (John K.)]

Always use a multifactor login, and NEVER reuse passwords.

[markm]

Financial sites don't actually send your password in cleartext in email, do they?

It seems pretty obvious that email is insecure, even if people ran their own mailservers in their own homes it would still need to be encrypted while in transit to be useable for things like passwords.

Even for things like sending you a one-time change-your-password session code that will expire five minutes after being sent it is insecure since anyone who sniffs it along the way can also quite likely slow it down to prevent you from even receiving it until the five minutes have already expired.

-MarkM-

[bitdaytrade]

After a first audit, the server doesn't look under attack. Some users experienced password changes and most likely, they are victim of individual attacks. As a security measure, double check your computer with an updated antivirus,enable double factor authentication and choose a different password for each site you use. We sent you a mail regarding the issue mentioned in this thread.

[davout]

After a first audit, the server doesn't look under attack. Some users experienced password changes and most likely, they are victim of individual attacks. As a security measure, double check your computer with an updated antivirus,enable double factor authentication and choose a different password for each site you use. We sent you a mail regarding the issue mentioned in this thread.

While you're at it you may want to fix your e-mail validation, it thinks my username+filter@gmail.com address isn't valid.

[kiba]

I just recently enable 2-key factor authentication on all my online balance bearing account. Big exception is operationfabulous since they don't support 2 factor authentication.

[pekv2]

I just recently enable 2-key factor authentication on all my online balance bearing account. Big exception is operationfabulous since they don't support 2 factor authentication.

I think in a few hours I will look into the 2-key factor for glbse.

[unclemantis]

https://lastpass.com/index.php
Use passwords with letters, numbers and special symbols. Generate passwords as long as the website you are signing up for can handle. I use generated passwords between the size of 30 characters and 50. Be sure to choose a master password that is easy for you to remember but hard to guess and brute force.

http://portableapps.com/apps/internet/google_chrome_portable/
Install this on a usb drive and install the chrome plugin for lastpass. ONLY visit websites that are bitcoin related using this. This will minimize contamination of the host computer by leaving your browsing information and history on the usb drive.

https://store.yubico.com/store/catalog/product_info.php?products_id=25&osCsid=973cdb9a5d62ca6b5618b6408c1f9e2b
Get a 2 factor authentaction device from above. This one works with LastPass. You get the Yubikey and a 1 year premium account with LastPass which allows you a lot more features than the free version.

http://www.sandisk.com/products/usb-flash-drives/cruzer-glide-usb-flash-drive
Get an 8 gig stick. Walmart sells them for 10 bucks.

http://www.sandisk.com/misc/secure-access
Install and activate encryption on your usb drive. Use the software that comes with the usb drive or find one that suits you. Make sure it is PORTABLE and doesn't rely on the host computer.

https://www.bitaddress.org
Generate a paper wallet and store your savings there. Find more information on this forum regarding paper wallets. Create a brain wallet if you want but store your bulk of coins you are not trading or spending offline. A SAVINGS IS A MUST. The value of Bitcoin is only going to go up so be sure to save!

http://ecdsa.org/electrum/
Use a thin client on your usb drive and use a password to encrypt the private keys. Use this as your spending address. Do NOT use web wallets. Your private keys are stored on some servers.

These are all the tools I use and what i have learned over the past year. And above all....

TRUST NO ONE! There is SOME trust you have to give but be cautious, use your brain, do not assume.

READ READ READ.

Good luck in the future! What is your payment address? I don't have a lot of coin but I can shoot some your way. Someone was nice to toss me coin when I lost some of mine in a scam. I know how it feels!!!!!

GOOD LUCK!

[KajiMaster]

I think most business owners should add a pin number for withdrawing balances.  Would be easy to add and give extra security for the user.

-Kaji

[bitdaytrade]

I'm starting to wonder if instead of people's systems or e-mail accounts getting compromised that actually what is happening is that there is sniffing on the wire occurring.  

Presumably you received an e-mail previously from BitDayTrade (e.g., the initial confirm your account).

So let's say an evil admin at the hosting company where BitDayTrade sends e-mail from simply sniffs for email traffic (SMTP is sent clear text) and harvests the account e-mail addresses.

Then, after giving sufficient time for the account to become funded, fires off a "recover password" action which sends out an e-mail.

The admin sniffs the SMTP traffic and gets a link to reset the password.  Login, witdhraw, and done.

The sniffing is passive, so there would be little in the way of footprints.

The revcover password action and eventual login can be done from Tor, so there's no trail.

Plausible?

Or better, why are Bitcoin businesses architects creating this security vulnerability or allowing it to persist?  These links for regaining access to an account are like bearer instruments.  Whomever has access to the link has access to the account and all funds it contains.  Restricting withdrawal for at least a day after a password change should be standard practice, for one thing.

We've just deployed email notifications when a withdrawal is requested, the execution is not real time and postponed by default, this should give time to react to an unauthorized account access.

[dopamine]

Ya still in shock that the site had a double login factor and I didn't use it, and my account got compromised and lost everything. Now I need to learn to backup a wallet for hardware failure and keep it offline and need to buy more bitcoin . Password reset request should raise some questions.

What is best practice to make sure your system is secure? currently using CrunchBang for my laptop and Ubuntu on main computer.

14T6m9frPvpSUNTRRNB8AVoJcxsqT8w5ae
Thanks in advance if you feel like sending me some bitcoins cheers

[bitdaytrade]

Ya still in shock that the site had a double login factor and I didn't use it, and my account got compromised and lost everything. Now I need to learn to backup a wallet for hardware failure and keep it offline and need to buy more bitcoin . Password reset request should raise some questions.

What is best practice to make sure your system is secure? currently using CrunchBang for my laptop and Ubuntu on main computer.

14T6m9frPvpSUNTRRNB8AVoJcxsqT8w5ae
Thanks in advance if you feel like sending me some bitcoins cheers

Password reset alone is not a mean to obtain unauthorized access to an account. Chances are that your email account was compromised.
Our best practices encompass many security aspects. You can read more about it on our website. Email us for further questions. Thank you