Brain Wallet hacked, suspect bitcoin talk hackers.

[LiteCoinGuy]

Hi everyone,

This serves as another lesson to make your brain wallets silly hard to hack.

My Brain wallet, in the form of example123example123example123 (example123 was my bitcoin talk password,) was hacked resulting in the loss of 12btc I had freshly put in there. Before I noticed it was hacked I sent another 7btc there and luckily got it out before the hacker did.

This was my brain wallet 17z2uppQS9fyag5KtbQ6KNiCBrNSL1z64r

This is the Hackers wallet, with the funds in it at the time of writing 153h8BH61rQgfyujZjJqjQNSsRK2Hsaf3A


The community might take interest in this address as the hackers of bitcoin talk are prime suspects.

Its crazy, is this guy lucky or is it really that easy to hack brain wallets??

Take care!

you could buy a hardware wallet, that is safer than your password:

https://bitcointalk.org/index.php?topic=899253.0

[1715117349]

1715117349

[1715117349]

1715117349

[1715117349]

1715117349

[Light]

That sounds bad, but I dont understand how it could get around root access in linux? it is not a simple mission to do anything like that surely??

I'm not an expert on Linux security - but IIRC linux is incredibly well locked down in terms of user privileges - far more so than Windows. As long as you don't run around as a superuser account all day, generally even if malware gets in you should be ok. Not to mention that it is rather rare for malware to target Linux given that it is used by such a small percentage of people. I do think it more likely that the hacker managed to access your coins via working out your password then bruteforcing brain wallets.

[thejaytiesto]

That sounds bad, but I dont understand how it could get around root access in linux? it is not a simple mission to do anything like that surely??

I'm not an expert on Linux security - but IIRC linux is incredibly well locked down in terms of user privileges - far more so than Windows. As long as you don't run around as a superuser account all day, generally even if malware gets in you should be ok. Not to mention that it is rather rare for malware to target Linux given that it is used by such a small percentage of people. I do think it more likely that the hacker managed to access your coins via working out your password then bruteforcing brain wallets.

There's no way someone randomly typed out the password. You either find out or bruteforce it. Now, he sad he was using the same password that he uses here, but x3 for his brainwallet... that's pretty much it IMO. You should never use the same password twice, specially passwords you use in public forums.

[LFC_Bitcoin]

I'm sorry to hear that chessnut, it sucks tbh.
It makes me a bit angry & a little deflated to hear stuff like this.
No matter what we do & how well secure we've made our coins people always seem to find a way to steal some.
You've been really unlucky, it could have been any of us.
I don't know what to say apart from I'm sorry for your monetary loss mate, people you can never be 100% secure but please do everything you can to look after your coins, you can't leave any stone unturned.

[NorrisK]

Maybe the entropy was just too low?

If say your password was 8 random characters and you repeat this 3 times, a hacker could just do all random possibilities containing up to 8 characters (still quite a bit) and past it 2 more times behind it.

[jonald_fyookball]

After this experience you should go to the highest level of security,
which is true cold storage.  You generate your keys on a machine
that has never been online and never will be, and use physical
coins/dice to generate entropy. 

Well, the Winklevoss brothers use Brain Wallet, or at last that's what i've seen on the latest interview. I would never store all of my wallets on a brain walled tho, just "spending money" like you do with Mycellium etc (im hoping no one stores their main stack Mycellium..)

You can still use a brain wallet with cold storage.

The point is, you 1) generate and store your keys in an unhackable way and 2) make sure they have enough entropy.
OP failed to do at least one of those two things.

[snarlpill]

I am very sorry to hear this happened to you, it is an unusually shitty circumstance.

I haven't read the whole thread, so this may have been mentioned, but I saw you said you weren't very computer savvy: You don't have to mess with Github at all, but if you want to use bitaddress.org, go to the options on say Chrome browser and click "Download Webpage". Download it as a complete webpage, then disconnect your computer from the Internet, open the file in your web browser, and then generate your desired amount of addresses while disconnected from the Internet. It is the best way I can recommend to anybody who is not really computer savvy; it is pretty simple for I think anyone to do.

[LiteCoinGuy]

maybe you should ask your brother where your BTC are, or your friend?  i guess you shared the password with them. or you downloaded some shady stuff...


but Linux and bruteforce seems to be pretty unlikely  

[spazzdla]

If your passphrase has EVER.. EVEN ONCE been typed into the web.

YOU SHOULD CONSIDER YOUR BITCOINS OUT OF YOUR CONTROL...

The same password as your bitcoin talk... you knew it got hacked and didn't act..?!?!?!?!?

[S4VV4S]

I am very sorry to hear this happened to you, it is an unusually shitty circumstance.

I haven't read the whole thread, so this may have been mentioned, but I saw you said you weren't very computer savvy: You don't have to mess with Github at all, but if you want to use bitaddress.org, go to the options on say Chrome browser and click "Download Webpage". Download it as a complete webpage, then disconnect your computer from the Internet, open the file in your web browser, and then generate your desired amount of addresses while disconnected from the Internet. It is the best way I can recommend to anybody who is not really computer savvy; it is pretty simple for I think anyone to do.

I wouldn't do that on a computer that has/had computer access - at any time.
Temporarily disconnecting from the internet will not work.

The address generation should be done on a PC that has never and will never connect to the internet.
In fact, once you have created your address, format and re-format a couple of more times.
(and even then, data can still be recovered)

[Beliathon]

to use or not to use brain wallet I think is a careful choice you need brainpower to make.

A safe rule: If you're unsure whether or not you're savvy enough to use it correctly, you're not savvy enough to use it correctly. You should have absolutely no doubt in your mind when you commit wealth to your chosen form of cold storage.

[virtualx]

If your passphrase has EVER.. EVEN ONCE been typed into the web.

YOU SHOULD CONSIDER YOUR BITCOINS OUT OF YOUR CONTROL...

The same password as your bitcoin talk... you knew it got hacked and didn't act..?!?!?!?!?

This is a good practice. One should not be share a password all across the web or to use brainwallet passwords as forum/email passwords.

[Klestin]

to use or not to use brain wallet I think is a careful choice you need brainpower to make.

A safe rule: If you're unsure whether or not you're savvy enough to use it correctly, you're not savvy enough to use it correctly. You should have absolutely no doubt in your mind when you commit wealth to your chosen form of cold storage.

This.

If you "picked" the brain wallet passphrase, it is not good enough and will be cracked.  Use (at a bare minimum) 12 random words.  15 would be better.  

Not "words I picked at random", but really (truly) randomly selected.  Words selected with dice from an appropriate list will work fine.  

Be aware that the computer you use to generate the wallet must be secure, and the page you use must be offline.  

If you're not sure of any of these factors, your funds are as good as gone.  Use a trezor.

[odolvlobo]

Your bitcointalk password is very weak, so it could have been cracked in a short amount of time, but I don't see how anyone could have known that your bitcointalk password was the basis for a brainwallet passphrase. That seems extremely unlikely.

It is much more likely that the hash of "example123", plus variations (such as "example123example123example123"), have been precomputed by the hacker. You can probably store hashes of the 1 million most common passwords with 1000 variations each in less than 100 GB, and looking up a hash might only take a few seconds.

[Cruxer]

This same password in the form of 'passwordpasswordpassword' was my brain wallet. Its a pretty random password, I dont believe it was brute force hacked. Im really baffled, I think it must have been the bitcoin talk hacker targeting me. There is also a chance it was bitaddress.org that was compromised but Ive never had that trouble before.

I can't think of a reason hacker would crack your password and then try to use it as brain wallet while copying it two times (passpasspass).
How to get to idea that someone could use password as brainwallet ; o

[Klestin]

It is much more likely that the hash of "example123", plus variations (such as "example123example123example123"), have been precomputed by the hacker. You can probably store hashes of the 1 million most common passwords with 1000 variations each in less than 100 GB, and looking up a hash might only take a few seconds.

That's the way rainbow tables work to crack a password table.  However, with hashing hardware running as fast as it does currently, it's far faster to compute the hashes as they go, rather than look up in a table.  They can try billions of hashes per second.

[moriartybitcoin]

brain wallets are not secure unless you can remember 128bit password .. even then, i wouldn't trust them

[Klestin]

I can't think of a reason hacker would crack your password and then try to use it as brain wallet while copying it two times (passpasspass).
How to get to idea that someone could use password as brainwallet ; o

They don't have to.  Since they can try billions of hashes per second, per machine, they have the luxury to try just about anything.  If you don't have 100+ bits of entropy in your pass phrase, you are hosed.

[chessnut]

Thanks for all the helpful comments guys,

What I find quite ironic though is that Ive left a paper wallet in plain view as my facebook profile picture. It has 0.1btc in it and been there for months with no trouble! I guess that sort of thing might give one the wrong impression about wallet security.

Now the race is on to find my facebook profile 

[chessnut]

you could buy a hardware wallet, that is safer than your password:
https://bitcointalk.org/index.php?topic=899253.0

This is interesting, some nice looking units there. I would like one that I could store a brain wallet on (a proper one!). I have a phobia that my house will burn down (for example) and I will lose all my paper wallets and computer memory with my passwords to my backups etc... I think that is the beauty of a brain wallet, even if you lose everything you still have a chance to get your btc back, and if you make it special to you, maybe your family could  still get the bitcoin if you die.

That sounds bad, but I dont understand how it could get around root access in linux? it is not a simple mission to do anything like that surely??

I'm not an expert on Linux security - but IIRC linux is incredibly well locked down in terms of user privileges - far more so than Windows. As long as you don't run around as a superuser account all day, generally even if malware gets in you should be ok. Not to mention that it is rather rare for malware to target Linux given that it is used by such a small percentage of people. I do think it more likely that the hacker managed to access your coins via working out your password then bruteforcing brain wallets.

I have since generated a stronger brain wallet on my computer and baited it with some btc..... no trouble at all. Ive been using linux for about 8 years now, my dad got me into it, and we havent had a single problem with viruses or any kind of compromise as far as I know. I really dont think my computer is compromised.

I'm sorry to hear that chessnut, it sucks tbh.
It makes me a bit angry & a little deflated to hear stuff like this.
No matter what we do & how well secure we've made our coins people always seem to find a way to steal some.
You've been really unlucky, it could have been any of us.
I don't know what to say apart from I'm sorry for your monetary loss mate, people you can never be 100% secure but please do everything you can to look after your coins, you can't leave any stone unturned.

Yeah, learning the kind of power these guys have to crack passwords is nerve wrecking. I would have thought that it wouldnt be economical to even try when you get to password sizes like the one I was using, even when it is repeated. I dont understand the work it must take to go through billions of combinations, hash them all into private keys, and then rake all those billions of wallets all day long.

I wonder if bitcoin mining technology is making this possible where it wasn't before?