Influx of Hacked Accounts

[Mt.Gox Support]

>Yeah I've seen some old accounts just started posting again today after years of not being used Sad.

How is this going to change above?  The hacked accounts make it pretty clear that either the passwords weren't salted, or the hackers managed to do much more than garb a db of password hashes & emails. Theymos did say he was rooted :

You cannot assume Theymos is lying and the database wasn't salted. We don't know if the security question was encrypted and salted as well.

I'm assuming nothing. Merely laying out the possibilities, so that they could be eliminated, one by one. In other words, theymos is not lying, the passwords were salted, which leaves only one plausible explanation for shitloads of VIP accounts flooding online: The hackers got a lot more than password hashes & emails.

Any old accounts compromised likely used easy passwords or easy security questions.

VIP accounts in a forum that's all about privicy, security & crypto? You sure?

Forcing a password reset where the recovery must happen through email will protect all those accounts unless the user were ignorant enough to use the same password for their email account as here.

Protect all which accounts? The ones posting here now? Or the accounts on the db dumps? Those probably changed hands a few times by now.

You can still crack salted passwords you know.... you just can't use a rainbow table to speed up the process.

[1714175137]

1714175137

[Mt.Gox Support]

Protect all which accounts? The ones posting here now? Or the accounts on the db dumps? Those probably changed hands a few times by now.

If Theymos changes all passwords and drops the security question table and prompts the users to reset via email on file the only vulnerable accounts will be those that have the same password /security question for their email as here and fail to respond timely.

about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before a hacker can crack it.

[Mt.Gox Support]

about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before the hacker can crack it.

Some of those 80% will still have access to the fake/throwaway email accounts, some wont. It takes 5 minutes to setup a spare email account for security / spam and it only needs to be checked 1 a year to make sure it remains active. Anyone that isn't maintaining these accounts in a password manager is irresponsible and deserves to become a newbie again.

no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email though that is likely on purpose.

[thebigtalk]

Some tips to avoid being scammed by hacked accounts:
1. Check their activity such as fprum posts. Check the date of the user's last post and see if that user has  been active in the past few weeks.. Abandoned accounts will have a long gap on their posts.

Feel free to add anything to help  others and newbies.

[dogie]

about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before the hacker can crack it.

Some of those 80% will still have access to the fake/throwaway email accounts, some wont. It takes 5 minutes to setup a spare email account for security / spam and it only needs to be checked 1 a year to make sure it remains active. Anyone that isn't maintaining these accounts in a password manager is irresponsible and deserves to become a newbie again.

no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email.

I thought we knew Satoshi's (since hacked) email? Or are you saying he didn't even use that one on here?

[Mt.Gox Support]

no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email.

I understood you the first time. Who cares if they are invalid. I clearly stated that those users who are stupid enough not to maintain a throwaway email for this exact scenario deserve to become newbies again.

What is worse : a few hero accounts being frozen where the users are forced to start over or a ton of compromised accounts trolling and scamming on this forum?

The choice is clear to me ... hopefully Theymos makes the right decision, otherwise he is choosing usability over security like apple did before fappergate.

When I say 80% I am underestimating. Like I said even satoshi would be locked out, if you think it's a good idea to make 80% of accounts here unrecoverable then you are a complete idiot. Don't waste your time replying to this.

[Mt.Gox Support]

When I say 80% I am underestimating. Like I said even satoshi would be locked out, if you think it's a good idea to make 80% of accounts here unrecoverable then you are a complete idiot. Don't waste your time replying to this.

It makes perfect sense for a likely compromised account to be trying to dissuade Theymos and others from good security advice.

Whether the number is 50% or 90% , they mostly are comprised of shill accounts so it will be great to purge those.

If you are going to ban 80% of accounts here including satoshi and all VIP members except 2 who used real emails you might as well delete the whole forum and start over from scratch. Even this account's email "support@mtgox.com" had expired.

[Gervais]

about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before the hacker can crack it.

Some of those 80% will still have access to the fake/throwaway email accounts, some wont. It takes 5 minutes to setup a spare email account for security / spam and it only needs to be checked 1 a year to make sure it remains active. Anyone that isn't maintaining these accounts in a password manager is irresponsible and deserves to become a newbie again.

no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email though that is likely on purpose.

Why would you need the password or anything else to accounts like sadasdsdfgdfgdfgdfa@gmail.com when you could just create the gmail account yourself and reset the pass? Once you had the list of obviously fake emails you could create any that used real providers.

[AltcoinInvestor]

Partial protection before doing any business not to be scammed:
Ask for a signed message with an old posted&unedited address. (At least 1 years old.)

[MsCollec]

More worried about virus emails 

[Gervais]

More worried about virus emails 

Simple solution: don't open them. I wouldn't click on any email I didn't like the look of especially ones that mention btc.

[BrewCrewFan]

More worried about virus emails  

Simple solution: don't open them. I wouldn't click on any email I didn't like the look of especially ones that mention btc.

This is right here the best advice.

Its so funny, until a few years ago before I got into BTC, I had no care in the world. Now I have multicharacter passwords for everything, even my email.... funny how something like this can open your eyes.

[crazyearner]

Well changed and updated my password and security questions. No doubt am going to get a load of spam emails to file off and block in the future. Seems like satoshi account is hacked how can theri be 3 satoshis on here unless someone changed their display name to his. So whos the real satoshi apart from profile u=3 seems lot going on and needs to be investigated.

I would at least mass force password update and to change passwords.

Original one https://bitcointalk.org/index.php?action=profile;u=3

Imposer one or changed to. https://bitcointalk.org/index.php?action=profile;u=67058

3rd account https://bitcointalk.org/index.php?action=profile;u=25340

[Redones]

it will be better if they could include tow factor authenticator for more security

[tarsua]

This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.

Goodbye bitcointalk.

If you arent back in 6 months, i'll donate all my btc to charity

[botany]

More worried about virus emails 

Using a different email id for bitcointalk could be a solution. 

[btcton]

I can see how many people are just going to ignore this ever even happened and are not planning to change their password. Sure, it may be hard to obtain the actual password, but it is not impossible either. I am hoping at least the most prominent users will use reason.

[iCEBREAKER]

I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

Agreed, also be especially careful trading with people. Even if no one gets hacked, I foresee some people scamming, and then trying to claim they were hacked to waive their liability.

Staff should give every account on the board negative default trust.

After all, BadBear didn't do a fucking thing (besides make lame excuses for him) when Vod (ab)used his authority to give me a red mark for nothing other than a "possibly hacked" account.

Now that all accounts are "possibly hacked" more than ever before, it's time for mass application of Vod's (staff/admin-approved) low standard.

[liie888coins]

This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.

Goodbye bitcointalk.

Well, I thought theymos should disallow users to change email for a certain period of time.

When will this forum enable Google 2FA? I suppose this will help relieve some worries even certain users may have used relatively weak passwords.

[Gervais]

This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.

Goodbye bitcointalk.

Well, I thought theymos should disallow users to change email for a certain period of time.

That's no good for people who want to change them since they've been exposed. All those people who created fake email accounts could get socially engineered themselves so its vital people need to be able to change them.

When will this forum enable Google 2FA? I suppose this will help relieve some worries even certain users may have used relatively weak passwords.

Probably have to wait for the new forum. If it was going to be implemented it likely would have been already.