About the recent server compromise

[dogie]

Can they do anything with our IP addresses?

Yeah, DDOS you out of digital existence. Which is why I don't think the forum should have added a "Skype username" box on people's profiles. Its just asking for revenge DDOSing.

[1714475293]

1714475293

[1714475293]

1714475293

[1714475293]

1714475293

[1714475293]

1714475293

[tarsua]

Thanks for the info theymos, i'll have a crack at tracking his email and ip although im sure the email is fake and he used a proxy

[Xialla]

It is possible the attacker is selling the stolen email address database to spammers to make quick bucks.

ahh, I really don't wanna start any drama. maybe it was just spam in "wrong time" and it is not related at all. just reporting..

[cbase]

uhh already received spam also + many unsuccessful attempts to mail login:(

anyway, thanks for bring the forum up.

What spam did you get? Has anyone else had attempts to compromise their email?

something like "buy iphone with btc" or "some viagra with btc" and similar..

I dunno, if it is related, but I had this acc for years and I never received similar mails until yesterday. coming from some non-sense yahoo addresses.

It is possible the attacker is selling the stolen email address database to spammers to make quick bucks.

Not very much worth it if the reason of the attacker is just to get emails list, it must be sonething else and it might be the attacker is looking for private datas

[minifrij]

Glad that it's back, but as previously said it's fairly unacceptable that a forum with such a security aura can still be compromised by attackers.
When will the new forum be happening? It's been in speculation for at least a year, if not longer now. It cannot take this long to code a forum software.

Yeah, DDOS you out of digital existence.

Do you think that they would bother? Surely to take down as many people as it would be worth here it would take more resources than what the attacker could get back.

[AGD]

It is possible the attacker is selling the stolen email address database to spammers to make quick bucks.

ahh, I really don't wanna start any drama. maybe it was just spam in "wrong time" and it is not related at all. just reporting..

This doesn't look like the average email spam hack to me.

[Welsh]

Unfortunatly this seems to be a reoccuring issue. Again, good job in minimising the damage done. Keep us up to date on the situation regarding how they obtained the information needed to gain access.

[thebitcoinquiz.com]

I guess the password changes which were done yesterday (when the forum cane online for a few hours) were reverted back, cause I changed my password yesterday but I had to use my previous password to login today. Idk why was it done.

Also, is it just me or the forum looks plain to everyone? Like I am not able to identify what has changed by the layout looks a bit flat.

[opentoe]

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

While nothing can ever be ruled out in these sorts of situations, I do not believe that the attacker was able to collect any personal messages or other sensitive data beyond what I listed above.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

I will now go into detail about how well you can expect your password to fare against a determined attacker. However, regardless of how strong your password is, the only prudent course of action is for you to immediately change your password here and everywhere else you used it or a similar password.

The following table shows how long it will take on average for a rather powerful attacker to recover RANDOM passwords using current technology, depending on the password's alphabet and length. If your password is not completely random (ie. generated with the help of dice or a computer random number generator), then you should assume that your password is already broken.

It is not especially helpful to turn words into leetspeak or put stuff between words. If you have a password like "w0rd71Voc4b", then you should count that as just 2 words to be safe. In reality, your extra stuff will slow an attacker down, but the effect is probably much less than you'd think. Again, the times listed in the table only apply if the words were chosen at random from a word list. If the words are significant in any way, and especially if they form a grammatical sentence or are a quote from a book/webpage/article/etc., then you should consider your password to be broken.

Code:

Estimated time (conservative) for an attacker to break randomly-constructed
bitcointalk.org passwords with current technology

s=second; m=minute; h=hour; d=day; y=year; ky=1000 years; My=1 million years

Password length  a-z  a-zA-Z  a-zA-Z0-9  <all standard>
              8    0      3s        12s              2m
              9    0      2m        13m              3h
             10   8s      2h        13h             13d
             11   3m      5d        34d              1y
             12   1h    261d         3y            260y
             13   1d     37y       366y            22ky
             14  43d   1938y       22ky             1My
             15   1y   100ky        1My           160My
-------------------------------------------------------
         1 word  0
        2 words  0
        3 words  0
        4 words  3m
        5 words  19d
        6 words  405y
        7 words  3My

Each password has its own 12-byte random salt, so it isn't possible to attack more than one password with the same work. If it takes someone 5 days to recover your password, that time will all have to be spent on your password. Therefore, it's likely that only weak passwords will be recovered en masse -- more complicated passwords will be recovered only in targeted attacks against certain people.

If your account is compromised due to this, email acctcomp15@theymos.e4ward.com from the email that was previously associated with your account.

For security reasons, I deleted all drafts. If you need a deleted draft, contact me soon and I can probably give it to you.

A few people might have broken avatars now. Just upload your avatar again to fix it.

Unproxyban fee processing isn't working right now. If you want to register and you can't, get someone to post in Meta for you and you'll be whitelisted.

Searching is temporarily disabled, though it won't be disabled for as long as last time because I improved the reindexing code.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

How the compromise happened:

The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything, and I don't yet want to publish everything that I do know, but it seems almost certain that it was a problem on the ISP's end.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker's real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I've already acquired, but if for example you're the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate -- just sending me someone's name is useless.

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
lopaz291@safe-mail.net

Thanks for the info, but don't you think it is time you really take some of those donations and upgrade this forum software? There are quite a few new styles out there that are really nice. This pretty much static version has been around and looked the same since it was installed. And last year when there was a thread about how you had so much bitcoin worth millions of dollars I think it was, you wanted other user's to hold on to it in case some of it was lost. Why can't you take some of those donations, build a brand new dedicated box, hire one of the best programmers you can find and get this forum software out of the dark ages?

[theymos]

I guess the password changes which were done yesterday (when the forum cane online for a few hours) were reverted back, cause I changed my password yesterday but I had to use my previous password to login today. Idk why was it done.

Right, you should change your password again.

Also, is it just me or the forum looks plain to everyone? Like I am not able to identify what has changed by the layout looks a bit flat.

Your eyes got used to looking at other websites besides this one.

[botany]

I guess the password changes which were done yesterday (when the forum cane online for a few hours) were reverted back, cause I changed my password yesterday but I had to use my previous password to login today. Idk why was it done.

Yup, you will have to change it again.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

[Morecoin Freeman]

Fucking hackers

[locopao]

Hey guys!

One more thing: DON'T FORGET TO CHECK YOUR WALLET ADDRESS, TOO!!! IN YOUR PROFILE.

This is most important for users already participating in campaigns (FOR AUTOMATED PAID campaigns like bitmixer etc)

Hacker would easily check the participants accounts and just change the payment address to his own, in order to receive the payments.

 

[botany]

Hey guys!

One more thing: DON'T FORGET TO CHECK YOUR WALLET ADDRESS, TOO!!! IN YOUR PROFILE.

This is most important for users already participating in campaigns (FOR AUTOMATED PAID campaigns like bitmixer etc)

Hacker would easily check the participants accounts and just change the payment address to his own, in order to receive the payments.

 

A hacker after small change. 
Good joke.

[TheTommyD]

I just changed mine: 01100110 01110101 01100011 01101011 01111001 01101111 01110101 01110011 01110000 01100001 01101101 01101101 01100101 01110010

[nor9865]

wait a minute .

lopaz???

thats a player of World of Warcraft. you should look into that

if anyone who has the admin login and password has been in WoW recently make sure someone did not install a keylogger or a backdoor in your computer and was able to get the log in and password or some way to perform the attack.

also it is impossible that the forum is so at risk considering the number of times i have seen it down or been attacked. it is becoming a joke now.

you should accelerate into the new forum with more security rather than leaning over this one. the new forum was announced for a while now.

[locopao]

Hey guys!

One more thing: DON'T FORGET TO CHECK YOUR WALLET ADDRESS, TOO!!! IN YOUR PROFILE.

This is most important for users already participating in campaigns (FOR AUTOMATED PAID campaigns like bitmixer etc)

Hacker would easily check the participants accounts and just change the payment address to his own, in order to receive the payments.

 

A hacker after small change. 
Good joke.

I am sure you just checked yours  

Seriously, i agree it's just small change for someone to get in all this trouble just to steal some coins, but on the other hand, how many campaigns & participants are in total? So it might not be just changes.

[hilariousandco]

Thanks for the info, but don't you think it is time you really take some of those donations and upgrade this forum software? There are quite a few new styles out there that are really nice. This pretty much static version has been around and looked the same since it was installed. And last year when there was a thread about how you had so much bitcoin worth millions of dollars I think it was, you wanted other user's to hold on to it in case some of it was lost. Why can't you take some of those donations, build a brand new dedicated box, hire one of the best programmers you can find and get this forum software out of the dark ages?

It's almost complete and is being tested now. There's a subforum for the discussion of it: https://bitcointalk.org/index.php?board=167.0

[dbshck]

Thanks for the info, but don't you think it is time you really take some of those donations and upgrade this forum software? There are quite a few new styles out there that are really nice. This pretty much static version has been around and looked the same since it was installed. And last year when there was a thread about how you had so much bitcoin worth millions of dollars I think it was, you wanted other user's to hold on to it in case some of it was lost. Why can't you take some of those donations, build a brand new dedicated box, hire one of the best programmers you can find and get this forum software out of the dark ages?

This is exactly what theymos is doing right now. Not sure why you haven't notice it, but we're currently developing a brand new forum software with the best programmers since 2014. There is a dedicated subforum for the new forum software https://bitcointalk.org/index.php?board=167.0
You can also check out the progress on Github https://github.com/epochtalk/epochtalk

[opentoe]

Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?

There is actually , here is his wallet as far as I know : https://blockchain.info/address/1M4yNbSCwSMFLF9BaLqzoo2to1WHtZrPke
Source is from here , those are people who are helding the money of the forum (which is not out yet ) : https://bitcointalk.org/index.php?topic=155000.0

@Theymos , thanks for your hard work .. a question tho ... if we don't change password and that password isn't the same as our email adresses then we should be good right ? just curious i will change my pass anyway

That's just one donation wallet. It was supposed to be spread around last year when bitcoin was really high. So you may want to at least triple that number. 6 million dollars in donations. Although we will never know the true numbers. He just happen to be at the right place, right time. BAM and people donated like crazy to keep the site up. I'm not complaining, because I donated myself (knowing the forum had millions of dollars) but really thought security and features, and updates would be top priority here. You can have the sweetest forum running on the Internet. I say try out discourse.