Mt.Gox Support
VIP
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
May 25, 2015, 09:45:24 PM |
|
>Yeah I've seen some old accounts just started posting again today after years of not being used Sad.
How is this going to change above? The hacked accounts make it pretty clear that either the passwords weren't salted, or the hackers managed to do much more than garb a db of password hashes & emails. Theymos did say he was rooted :
You cannot assume Theymos is lying and the database wasn't salted. We don't know if the security question was encrypted and salted as well. I'm assuming nothing. Merely laying out the possibilities, so that they could be eliminated, one by one. In other words, theymos is not lying, the passwords were salted, which leaves only one plausible explanation for shitloads of VIP accounts flooding online: The hackers got a lot more than password hashes & emails. Any old accounts compromised likely used easy passwords or easy security questions.
VIP accounts in a forum that's all about privicy, security & crypto? You sure? Forcing a password reset where the recovery must happen through email will protect all those accounts unless the user were ignorant enough to use the same password for their email account as here.
Protect all which accounts? The ones posting here now? Or the accounts on the db dumps? Those probably changed hands a few times by now. You can still crack salted passwords you know.... you just can't use a rainbow table to speed up the process.
|
|
|
|
|
|
If you see garbage posts (off-topic, trolling, spam, no point, etc.), use the "report to moderator" links. All reports are investigated, though you will rarely be contacted about your reports.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
Mt.Gox Support
VIP
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
May 25, 2015, 09:50:06 PM |
|
Protect all which accounts? The ones posting here now? Or the accounts on the db dumps? Those probably changed hands a few times by now.
If Theymos changes all passwords and drops the security question table and prompts the users to reset via email on file the only vulnerable accounts will be those that have the same password /security question for their email as here and fail to respond timely. about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before a hacker can crack it.
|
|
|
|
Mt.Gox Support
VIP
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
May 25, 2015, 09:55:33 PM |
|
about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before the hacker can crack it.
Some of those 80% will still have access to the fake/throwaway email accounts, some wont. It takes 5 minutes to setup a spare email account for security / spam and it only needs to be checked 1 a year to make sure it remains active. Anyone that isn't maintaining these accounts in a password manager is irresponsible and deserves to become a newbie again. no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email though that is likely on purpose.
|
|
|
|
thebigtalk
Sr. Member
Offline
Activity: 350
Merit: 250
Bitcoin and co.
|
|
May 25, 2015, 09:58:05 PM |
|
Some tips to avoid being scammed by hacked accounts: 1. Check their activity such as fprum posts. Check the date of the user's last post and see if that user has been active in the past few weeks.. Abandoned accounts will have a long gap on their posts.
Feel free to add anything to help others and newbies.
|
|
|
|
dogie
Legendary
Offline
Activity: 1666
Merit: 1183
dogiecoin.com
|
|
May 25, 2015, 09:58:47 PM |
|
about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before the hacker can crack it.
Some of those 80% will still have access to the fake/throwaway email accounts, some wont. It takes 5 minutes to setup a spare email account for security / spam and it only needs to be checked 1 a year to make sure it remains active. Anyone that isn't maintaining these accounts in a password manager is irresponsible and deserves to become a newbie again. no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email. I thought we knew Satoshi's (since hacked) email? Or are you saying he didn't even use that one on here?
|
|
|
|
Mt.Gox Support
VIP
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
May 25, 2015, 10:02:59 PM |
|
no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email. I understood you the first time. Who cares if they are invalid. I clearly stated that those users who are stupid enough not to maintain a throwaway email for this exact scenario deserve to become newbies again. What is worse : a few hero accounts being frozen where the users are forced to start over or a ton of compromised accounts trolling and scamming on this forum? The choice is clear to me ... hopefully Theymos makes the right decision, otherwise he is choosing usability over security like apple did before fappergate. When I say 80% I am underestimating. Like I said even satoshi would be locked out, if you think it's a good idea to make 80% of accounts here unrecoverable then you are a complete idiot. Don't waste your time replying to this.
|
|
|
|
Mt.Gox Support
VIP
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
May 25, 2015, 10:09:31 PM |
|
When I say 80% I am underestimating. Like I said even satoshi would be locked out, if you think it's a good idea to make 80% of accounts here unrecoverable then you are a complete idiot. Don't waste your time replying to this.
It makes perfect sense for a likely compromised account to be trying to dissuade Theymos and others from good security advice. Whether the number is 50% or 90% , they mostly are comprised of shill accounts so it will be great to purge those. If you are going to ban 80% of accounts here including satoshi and all VIP members except 2 who used real emails you might as well delete the whole forum and start over from scratch. Even this account's email " support@mtgox.com" had expired.
|
|
|
|
Gervais
|
|
May 25, 2015, 10:18:00 PM |
|
about 80% of accounts here have a fake email address set. People are reluctant to use real email addresses so they can stay anonymous. Only thing people can do is log in and change their password before the hacker can crack it.
Some of those 80% will still have access to the fake/throwaway email accounts, some wont. It takes 5 minutes to setup a spare email account for security / spam and it only needs to be checked 1 a year to make sure it remains active. Anyone that isn't maintaining these accounts in a password manager is irresponsible and deserves to become a newbie again. no i mean 80% of the emails are invalid, they aren't temporary emails, they are invalid that bounce emails back. Most people just entered sadasdsdfgdfgdfgdfa@gmail.com or similar, the email accounts don't exist. The only authentication the forum has is password/security question, email is no good for us, even satoshi's account has an invalid email though that is likely on purpose. Why would you need the password or anything else to accounts like sadasdsdfgdfgdfgdfa@gmail.com when you could just create the gmail account yourself and reset the pass? Once you had the list of obviously fake emails you could create any that used real providers.
|
|
|
|
AltcoinInvestor
|
|
May 25, 2015, 10:22:26 PM |
|
Partial protection before doing any business not to be scammed: Ask for a signed message with an old posted&unedited address. (At least 1 years old.)
|
|
|
|
MsCollec
Legendary
Offline
Activity: 1400
Merit: 1000
|
|
May 25, 2015, 10:45:30 PM |
|
More worried about virus emails
|
|
|
|
Gervais
|
|
May 25, 2015, 10:47:35 PM |
|
More worried about virus emails Simple solution: don't open them. I wouldn't click on any email I didn't like the look of especially ones that mention btc.
|
|
|
|
BrewCrewFan
|
|
May 25, 2015, 10:49:49 PM |
|
More worried about virus emails Simple solution: don't open them. I wouldn't click on any email I didn't like the look of especially ones that mention btc. This is right here the best advice. Its so funny, until a few years ago before I got into BTC, I had no care in the world. Now I have multicharacter passwords for everything, even my email.... funny how something like this can open your eyes.
|
|
|
|
|
Redones
Sr. Member
Offline
Activity: 320
Merit: 261
Web developper
|
|
May 26, 2015, 12:15:15 AM |
|
it will be better if they could include tow factor authenticator for more security
|
|
|
|
tarsua
|
|
May 26, 2015, 12:54:12 AM |
|
This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.
Goodbye bitcointalk.
If you arent back in 6 months, i'll donate all my btc to charity
|
|
|
|
botany
Legendary
Offline
Activity: 1582
Merit: 1064
|
|
May 26, 2015, 01:20:47 AM |
|
More worried about virus emails Using a different email id for bitcointalk could be a solution.
|
|
|
|
btcton
Legendary
Offline
Activity: 1288
Merit: 1007
|
|
May 26, 2015, 02:13:52 AM |
|
I can see how many people are just going to ignore this ever even happened and are not planning to change their password. Sure, it may be hard to obtain the actual password, but it is not impossible either. I am hoping at least the most prominent users will use reason.
|
The signature campaign posters adding useless redundant fluff to their posts to reach their minimum word count are lowering my IQ.
|
|
|
iCEBREAKER
Legendary
Offline
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
|
|
May 26, 2015, 03:50:27 AM Last edit: May 26, 2015, 05:36:44 AM by iCEBREAKER |
|
I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!
Agreed, also be especially careful trading with people. Even if no one gets hacked, I foresee some people scamming, and then trying to claim they were hacked to waive their liability. Staff should give every account on the board negative default trust. After all, BadBear didn't do a fucking thing (besides make lame excuses for him) when Vod (ab)used his authority to give me a red mark for nothing other than a "possibly hacked" account. Now that all accounts are "possibly hacked" more than ever before, it's time for mass application of Vod's (staff/admin-approved) low standard.
|
██████████ ██████████████████ ██████████████████████ ██████████████████████████ ████████████████████████████ ██████████████████████████████ ████████████████████████████████ ████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ████████████████████████████████ ██████████████ ██████████████ ████████████████████████████ ██████████████████████████ ██████████████████████ ██████████████████ ██████████ Monero
|
| "The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy." David Chaum 1996 "Fungibility provides privacy as a side effect." Adam Back 2014
|
| | |
|
|
|
liie888coins
Full Member
Offline
Activity: 217
Merit: 100
Part-time Altcoin Developer
|
|
May 26, 2015, 04:51:49 AM |
|
This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.
Goodbye bitcointalk.
Well, I thought theymos should disallow users to change email for a certain period of time. When will this forum enable Google 2FA? I suppose this will help relieve some worries even certain users may have used relatively weak passwords.
|
|
|
|
Gervais
|
|
May 26, 2015, 09:25:28 AM |
|
This is silly and a waste of time. I don't think Theymos intends to do the right thing and change all passwords to have sufficient entropy until they are reset by email, so I am going to walk away from my account and close my email previously associated with the account. The trolling and the hack was merely the straw that broke the camels back... this forum has been going downhill for a while.
Goodbye bitcointalk.
Well, I thought theymos should disallow users to change email for a certain period of time. That's no good for people who want to change them since they've been exposed. All those people who created fake email accounts could get socially engineered themselves so its vital people need to be able to change them. When will this forum enable Google 2FA? I suppose this will help relieve some worries even certain users may have used relatively weak passwords. Probably have to wait for the new forum. If it was going to be implemented it likely would have been already.
|
|
|
|
|