About the recent server compromise

[Xialla]

9800 Savage Rd
Fort Meade, MD 20755
USA

 

What is this?

NSA address my friend.

[alani123]

Oh I see, Nsa.gov...

[galdur]

Well, nothing amiss here it seems. Changed the password. No suspicious emails received so far. Looks like it´s back to plain sailing. Good luck, g

[AgentofCoin]

This might be a dumb question, but why aren't emails also hashed on the server?
(If the user decides not to display it in their own profile, the only people who know it is the user, mods, and the server).

[damm315er]

https://twitter.com/#!/2256561481/status/602900410647580672

[BDCoinMiner]

Welcome Back!

Just out of curiosity, I wander what could be the possible 'gain' for attacker by attacking BCT forum, other then mental satisfaction ?

Yes, a lots of user contact data, related to CryptoCurrency  which can be use for other phishing attack...

Other then above, what could be the 'direct' gain he/she/they (The attacker) had in mind at time of attacking??

Cheers!

[marcotheminer]

Welcome Back!

Just out of curiosity, I wander what could be the possible 'gain' for attacker by attacking BCT forum, other then mental satisfaction ?

Yes, a lots of user contact data, related to CryptoCurrency  which can be use for other phishing attack...

Other then above, what could be the 'direct' gain he/she/they (The attacker) had in mind at time of attacking??

Cheers!

Gaining access to accounts and scamming with them or selling them. Also spamming emails.

[MakingMoneyHoney]

Welcome Back!

Just out of curiosity, I wander what could be the possible 'gain' for attacker by attacking BCT forum, other then mental satisfaction ?

Yes, a lots of user contact data, related to CryptoCurrency  which can be use for other phishing attack...

Other then above, what could be the 'direct' gain he/she/they (The attacker) had in mind at time of attacking??

Cheers!

If someone used the same username/password with email/online banking accounts/exchanges they could log in and withdraw the money, or use password resets to the email account and withdraw money.

This is a nice read on how easy someone can use some information to get past other checkpoints, such as 2FA - http://www.theverge.com/a/anatomy-of-a-hack

[itod]

Whoever claims theymos is not doing a great job with this forum should consider this forum is probably one of the most attacked ones because attackers potentially have so much to gain in the financial sense. Consider also that a lot of security expertise lurks around the forum. When you look at it this way, the amount of successful attacks is quite low, TBH. Keep up the good work, theymos.

[alani123]

Whoever claims theymos is not doing a great job with this forum should consider this forum is probably one of the most attacked ones because attackers potentially have so much to gain in the financial sense. Consider also that a lot of security expertise lurks around the forum. When you look at it this way, the amount of successful attacks is quite low, TBH. Keep up the good work, theymos.

To also look at the other side, it's not the first time the forum gets attacked. The previous attacks were done with the intention to deface the website though, (probably) no attempt to steal information. This must be the first time someone attacks the sole forum with the intention of stealing user information.

[dogie]

I was using a moderately strong password which I could remember too. Now I will have to come with another system.

LastPass is a good idea for generating passwords you don't need to remember. You'll need to remember one complex password but then it'll store any others you need. [Link] | [Link with referral ID which gives both of us 1 free month premium].

[TinEye]

9800 Savage Rd
Fort Meade, MD 20755
USA

 

What is this?

Address of the most loved agency in this world

No Such Agency?

[dogie]

9800 Savage Rd
Fort Meade, MD 20755
USA

 

What is this?

Address of the most loved agency in this world

No Such Agency?

No Secrets Allowed.
Never Say Akbar.

So many good variants.

[bitcoin_bagholder]

It was a very tense login moment today to find out if I still had access to the account, must've been doubly so for those in a signature campaign.

Victory. 

[caitsith2]

I was using a moderately strong password which I could remember too. Now I will have to come with another system.

LastPass is a good idea for generating passwords you don't need to remember. You'll need to remember one complex password but then it'll store any others you need. [Link] | [Link with referral ID which gives both of us 1 free month premium].

Totally agree.  According to the table,  my 16 random AZaz09  is effectively not going to be cracked by those black-hats any time soon.

[damm315er]

No Secrets Allowed.
Never Say Akbar.

So many good variants.

LOL @ Never say

Not Smart Actually
Negative Security Agency
Nothing Secure Anymore
National in-Security Agenda

[solstoce]

Good work theymos glad u got the server shut down quickly!

[notlist3d]

Theymos thank you for dealing with all this during a holiday weekend.   It sounds like a lot of work put in over this mess.

Also what I think is great of you is putting a good reward out there.  I thank you most for this.  I hope whoever did this someone knows and will turn them in for the reward.  Guess time will tell.  But I hope actionable information comes in.

[RappelzReborn]

Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?

There is actually , here is his wallet as far as I know : https://blockchain.info/address/1M4yNbSCwSMFLF9BaLqzoo2to1WHtZrPke
Source is from here , those are people who are helding the money of the forum (which is not out yet ) : https://bitcointalk.org/index.php?topic=155000.0

@Theymos , thanks for your hard work .. a question tho ... if we don't change password and that password isn't the same as our email adresses then we should be good right ? just curious i will change my pass anyway

That's just one donation wallet. It was supposed to be spread around last year when bitcoin was really high. So you may want to at least triple that number. 6 million dollars in donations. Although we will never know the true numbers. He just happen to be at the right place, right time. BAM and people donated like crazy to keep the site up. I'm not complaining, because I donated myself (knowing the forum had millions of dollars) but really thought security and features, and updates would be top priority here. You can have the sweetest forum running on the Internet. I say try out discourse.

Check the second link , all the other adresses are available .
But yes you got a point . We still waiting for this new forum which should cost 1.5m dollar and I'am really thinking it's a lot more then it should cost . but ... Simple Machines is not that good but vBulletin is made by professionals I don't know why we aren't using that , and we can use like 100k $ max to Upgrade and Hire developpers and programmers to do the security stuff etc .
So I guess we just should wait for epochtalk and see how things goes It may be able to compeet the other forum softwares such vb,mybb etc ...

[Cryddit]

What's the limit for passwords? I tried using an unreasonably large string as my password and didn't receive any error messages (despite the load time after I press the login button being huge). Were the last characters of the string cut off for it to fit a certain limit?

No, the last characters are not cut off, at least not at any "reasonable" password length.  My password here is over 60 characters, and it still cares about whether the last character is entered.