About the recent server compromise

[Quickseller]

]I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.

I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.Thanks theymos for all the time/effort you put into this

What was the message of the email, since I can't find any email from Bitcointalk or Theymos.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
 - Email address
 - Password hash
 - Last-used IP address and registration IP address
 - Secret question and a basic (not brute-force-resistant) hash of your
 secret answer
 - Various settings

You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".

If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.

Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.

While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.

I apologize for the inconvenience and for any trouble that this may cause.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlVhiGIACgkQxlVWk9q1keeUmgEAhGi8pTghxISo1feeXkUMhW3a
uKxLeOOkTQR5Zh7aGKoBAMEvYsGEBGt3hzInIh+k43XJjGYywSiPAal1KI7Arfs0
=bvuI
-----END PGP SIGNATURE-----

[marcotheminer]

Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?

We all wish there were.

[dogie]

Passwords and secret questions can be changed here: https://bitcointalk.org/index.php?action=profile;sa=account.

Also
1) Is there any information on what the additional suspicion was?
2) Was there any content / PM rollbacks?

[locopao]

Thanks theymos & bitcointalk stuff for getting the forum back online.

Hope you get the m@therf@ckers and make them pay. In any way.

[Check-0]

https://twitter.com/bitcointalk/status/602421967291985920  

[achow101_alt]

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
lopaz291@safe-mail.net

Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?

What are you talking about? Neither IP address shows up as a tor exit node.

That list is for the most recent list of exit nodes which updates every hour. I would suggest looking here: https://collector.torproject.org/formats.html#exit-lists for archived lists from the past few days to see if one of the ips was an exit when the attack occurred.

[achow101_alt]

https://twitter.com/bitcointalk/status/602421967291985920  

The tweet for those who didn't follow the link:

@bitcointalk Non-authoritative answer:
Name: http://bitcointalk.org
Address: 186.2.165.183 : this means attackers use DNS Poisoning ...

According to the OP, Theymos changed from his previous host NForce to another host because of suspicious activity. This would explain the IP change.

Edit: Found the quote:

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

[seoincorporation]

Is great to have the forum back again thx theymos.

The attack was weird because at last we don't know how he got access to the KVM...

I will give here some possible scenarios.

*Forum admins join to the forum from an insecure point and the forum was compromised.
*Attacker was on the same modem with admins and make a Man in the middle attack.
*Attacker hack the ISP provider before hack the forum.
*There is a 0 day what only the attacker know.

And maybe all that points are wrong... I think if we don't find the source of the problem, it is not fixed yet.

[Lethn]

I realise this is a no brainer for a lot of people, but you should never link your financial accounts and website passwords with ones you use on social networks and forums like this one. The only thing these guys are going to get from me are a maybe a few passwords to my gaming stuff but that's it, I think because of how many times Bitcointalk keeps getting compromised it's probably wise to create a unique password just for this site as it's probably going to keep happening the more Bitcoin grows.

There are clearly people out there that think they'll be able to get some from Bitcointalk or maybe this is more malicious than that and they're deliberately trying to bring the site down, either way, there shouldn't be anything sensitive on here and if there is people should move it fast.

[erikalui]

Thanks theymos for the hardwork. I changed my password but not my email ID as I'm not sure if I should do it as the pwd used on this forum wasn't used anywhere else fortunately. I've not received any phishing email except this one yesterday:


You are receiving this message because your email address is associated
with an account on bitcointalk.org.

-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlVhiGI..........................

I hope the above message is genuine.

[niktitan132]

I have changed my password and secret questions.Hopefully there will be no downtime,again.

@Theymos When will the new forum be launched?  

[teddy5145]

Thank you for keeping this site safe  
Maybe you could invest in some kind better security in the future? just in case something like this happening again
and im still trying to figure out what's the motive of the attacker to attack this site  

[Check-0]

https://twitter.com/bitcointalk/status/602421967291985920  

The tweet for those who didn't follow the link:

@bitcointalk Non-authoritative answer:
Name: http://bitcointalk.org
Address: 186.2.165.183 : this means attackers use DNS Poisoning ...

According to the OP, Theymos changed from his previous host NForce to another host because of suspicious activity. This would explain the IP change.

Edit: Found the quote:

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

that IP was in Russia, where BTC is illegal
http://en.wikipedia.org/wiki/Legality_of_bitcoin_by_country
strange choice of hoster IMHO.

[BtcTalkAcct]

What is theymos's GPG key? Is it published somewhere official? I received the signed email but I can't find a verified source with the key.

[RappelzReborn]

Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?

There is actually , here is his wallet as far as I know : https://blockchain.info/address/1M4yNbSCwSMFLF9BaLqzoo2to1WHtZrPke
Source is from here , those are people who are helding the money of the forum (which is not out yet ) : https://bitcointalk.org/index.php?topic=155000.0

@Theymos , thanks for your hard work .. a question tho ... if we don't change password and that password isn't the same as our email adresses then we should be good right ? just curious i will change my pass anyway

[Moebius327]

theymos, thank you for you hard work. Let's hope we will not have to deal this in the future.

[Gervais]

@Theymos , thanks for your hard work .. a question tho ... if we don't change password and that password isn't the same as our email adresses then we should be good right ? just curious i will change my pass anyway

No, you should change it because it could be broken eventually especially if it was a weak password. I wouldn't take any chances.

[TheTommyD]

Would not 2fa protected this from occurring?

[MakingMoneyHoney]

Thank you for keeping this site safe  
Maybe you could invest in some kind better security in the future? just in case something like this happening again
and im still trying to figure out what's the motive of the attacker to attack this site  

If they get an email/password combo figured out, they could have passed them self off as a well respected member and done deals where they get money and run. Or, just use the email/password to log into a bank account, or exchange account and withdraw the money. One of the main things is to use a unique password for each site. Lastpass.com is good for that, if anyone hasn't heard of them.

[nearmint]

He might not want 2fa because it lowers conversion rate. Less people would use the forum and the forum's only strength is its community. BUT the forum would be still big enough after 2fa. It's a classic in the scene, so ppl will continue to use it. I would use it with 2fa