Multiple Bittrex accounts hacked everyone enable 2fa

[Rune]

don't use the same password at multiple exchanges or with pools.
prob best to use something like last pass

and always use 2fa

[CosaNostra]

hmm interesting how this is turning out.
I have sort of known Ryan and chatted with him a bunch of times last few years.
And best i could tell he seemed like an honest guy.

I last talked to him i think on Cryptsy's Freenode IRC channel.
Where i do know Bittrex-Ritchie hangs out (and i believe is higher up than Ryan)

SO you *may get answers if you go on IRC and find Ritchie.

So i checked my account and it was fine and i have no 2fa either.
I also have maybe $20 worth of coins LOL

But this got me thinking if a hacker is trying multiple accounts
why has no one come forward saying they got alerts from failed login attempts ?
Like how would you know the account has 2fa or not unless you TRIED logging in?
Like i have used my email on places and i notice some attempts randomly to get into my Steam account (all failed)
Point being is i get a validation email + warning etc.

So if no one is getting any alerts then how the fuck does the hacker
know how to choose only accounts with no 2fa.. unless they work there LOL

I could work at an exchange then rip-off all kinds of guys and i would of course pick the guys with no 2fa
then i would tell them all well you got hacked noobs.. fix your Norton + updates yur Bitcointalk !

Interesting theories, i'm leaning towards, the bittrex servers being compromised, and the hacker is picking off all the accounts without 2fa with at least 1BTC in them. I think your $20 is safe lol.


On other exchanges, I get login successful or failed email notifications, not on bittrex though.

How does the attacker know if the account has 2fa? Unless they try logging on to them one by one.

Firstly, please stop trying to generate fud; its completely unproductive.  If our servers were compromised, there are way easier ways to get your money out.  It doesn't make any sense. What I can tell you is that there have been multiple accounts hacked with the same pattern, all within the last 48 hours.  I can also tell you that none of the affected accounts had logins from suspicious or unknown IPs which leads us to believe it is a rooted machine vs credential lost.  Lastly, this isn't specific to an OS based on the UA strings we've seen which points to some kind of browser plugin/toolbar.   Please crowdsource this to figure out commonalities and please turn on 2fa if you do not have it on.

Thanks
richie@bittrex

UNKNOWN_IP_LOGOFF 109.93.135.147 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 15:06:14.713
LOGIN 194.204.45.101 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 14:01:36.360

[leigh2k14]

hmm interesting how this is turning out.
I have sort of known Ryan and chatted with him a bunch of times last few years.
And best i could tell he seemed like an honest guy.

I last talked to him i think on Cryptsy's Freenode IRC channel.
Where i do know Bittrex-Ritchie hangs out (and i believe is higher up than Ryan)

SO you *may get answers if you go on IRC and find Ritchie.

So i checked my account and it was fine and i have no 2fa either.
I also have maybe $20 worth of coins LOL

But this got me thinking if a hacker is trying multiple accounts
why has no one come forward saying they got alerts from failed login attempts ?
Like how would you know the account has 2fa or not unless you TRIED logging in?
Like i have used my email on places and i notice some attempts randomly to get into my Steam account (all failed)
Point being is i get a validation email + warning etc.

So if no one is getting any alerts then how the fuck does the hacker
know how to choose only accounts with no 2fa.. unless they work there LOL

I could work at an exchange then rip-off all kinds of guys and i would of course pick the guys with no 2fa
then i would tell them all well you got hacked noobs.. fix your Norton + updates yur Bitcointalk !

Interesting theories, i'm leaning towards, the bittrex servers being compromised, and the hacker is picking off all the accounts without 2fa with at least 1BTC in them. I think your $20 is safe lol.


On other exchanges, I get login successful or failed email notifications, not on bittrex though.

How does the attacker know if the account has 2fa? Unless they try logging on to them one by one.

Firstly, please stop trying to generate fud; its completely unproductive.  If our servers were compromised, there are way easier ways to get your money out.  It doesn't make any sense. What I can tell you is that there have been multiple accounts hacked with the same pattern, all within the last 48 hours.  I can also tell you that none of the affected accounts had logins from suspicious or unknown IPs which leads us to believe it is a rooted machine vs credential lost.  Lastly, this isn't specific to an OS based on the UA strings we've seen which points to some kind of browser plugin/toolbar.   Please crowdsource this to figure out commonalities and please turn on 2fa if you do not have it on.

Thanks
richie@bittrex

UNKNOWN_IP_LOGOFF 109.93.135.147 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 15:06:14.713
LOGIN 194.204.45.101 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 14:01:36.360

I just noticed something similar on my logs:

LOGIN 87.126.174.177 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:59:37.770

That's not my browser, this is me:

LOGIN **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 12:45:36.673

[CosaNostra]

I just had a thought, if this attack was initiated from my machine, then why wasn't any other of my exchange accounts effected? Why just bittrex?

Good question, indeed!
Now when I have changed all passwords, turned on 2FA all over even for my microwave, bought big pack of condoms and such, may I also ask the same: why only bittrex?

[leigh2k14]

I just had a thought, if this attack was initiated from my machine, then why wasn't any other of my exchange accounts effected? Why just bittrex?

Good question, indeed!
Now when I have changed all passwords, turned on 2FA all over even for my microwave, bought big pack of condoms and such, may I also ask the same: why only bittrex?

You might wanna double bag those condoms, just to be sure.

[illodin]

Firstly, please stop trying to generate fud; its completely unproductive.  If our servers were compromised, there are way easier ways to get your money out.  It doesn't make any sense.

Sure, but they are also ways which make it apparent the site has been compromised. If an employee does it the way described above, and cleans a few accounts every now and then and everyone blames the users getting hacked client side, he can keep low profile and keep earning a little extra on the side.

Or, a conspiracy theorist might think it's the Google's way to push people to link their identities to exchange accounts via the 2fa service.

What I can tell you is that there have been multiple accounts hacked with the same pattern, all within the last 48 hours.  I can also tell you that none of the affected accounts had logins from suspicious or unknown IPs which leads us to believe it is a rooted machine vs credential lost.

Are these unknown IPs or IPs these users usually log in from?

UNKNOWN_IP_LOGOFF 109.93.135.147 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 15:06:14.713
LOGIN 194.204.45.101 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 14:01:36.360

I just noticed something similar on my logs:

LOGIN 87.126.174.177 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:59:37.770

That's not my browser, this is me:

LOGIN **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 12:45:36.673

[eaLiTy]

leigh2k14,

Did you use the same email and password for any mining pool or other sites?

No, I haven't mined for quite some time.

It's unique to bittrex.

so are you telling that your computer was hacked and that is how you lost your BTC's right . if you are having an unique password for bittrex then it is the only possible way.

[leigh2k14]

leigh2k14,

Did you use the same email and password for any mining pool or other sites?

No, I haven't mined for quite some time.

It's unique to bittrex.

so are you telling that your computer was hacked and that is how you lost your BTC's right . if you are having an unique password for bittrex then it is the only possible way.

We are still trying to establish weather it was our machines that were hacked or bittrex, having a password unique to bittrex doesn't make it un hackable.

[CosaNostra]

leigh2k14,

Did you use the same email and password for any mining pool or other sites?

No, I haven't mined for quite some time.

It's unique to bittrex.

so are you telling that your computer was hacked and that is how you lost your BTC's right . if you are having an unique password for bittrex then it is the only possible way.

We are still trying to establish weather it was our machines that were hacked or bittrex, having a password unique to bittrex doesn't make it un hackable.

I guess it's time to change the subject to "ALERT! Multiple Bittrex accounts hacked, TURN ON 2FA!!!"

[Hi7]

Don't have 2fa enabled yet, should probably do that anytime soon haha.

[Waldozaur12]

I lost 0.58 BTC on Bittrex 1 year ago . 2FA it was disabled. I have no problems when I Turn on 2fa.

[CosaNostra]

Don't have 2fa enabled yet, should probably do that anytime soon haha.

It's not haha, it's fucking serious...

[Master_dandosha]

Don't have 2fa enabled yet, should probably do that anytime soon haha.

IF you read the first post you will notice this
Lesson learned
no place for haha here

[Master_dandosha]

Don't have 2fa enabled yet, should probably do that anytime soon haha.

It's not haha, it's fucking serious...

never mind and forget about him . there are some nooob doing this every time..it is very series here for many of us because i am using bittrex for my daily trading since 2014

[shinep]

Does anyone know if it easy to disable 2FA in case you lose your phone?

[Spoetnik]

This is a weird mystery and where is the report(s) of failed login attempts.
AKA:email notifications on 2Fa users.. get it?

Apparently i am FUD'ing..
I like to call it Scientific procedure.

Being an inside job at Bittrex has not been ruled out.
Nor has Bittrex itself being hacked.
Sorry Bittrex guys but that is the truth.. your "word" is just not going to cut it.

I wish i had local access to all machines to check them out for you all.

I'd like to see the OP maybe build a profile of sorts.
Start by listing any downloaded/Compiled crypto programs such as Miners or Wallets.
And maybe list your Browser + OS too.. and if 2FA was on. (plus IP's of course)

What is it here now 3 guys that have come forward?

From the sounds of it i think the blame is either on Bittrex or the local users.
And more & more i am thinking it was a staff member behind it.
Maybe skimming account funds for ages with "you got hacked" stories.
But who ever is doing it, started doing it too much lately.

Bittrex you don't get the benefit of the doubt.. nobody in Crypto does.
That is what i call common-sense.

[leigh2k14]

Does anyone know if it easy to disable 2FA in case you lose your phone?

You need to write the private key on some paper and store it in a safe place, doesn't matter if you lose your phone then.

[chiznitz]

Does anyone know if it easy to disable 2FA in case you lose your phone?

I do pretty much all of the 2FA resets.

There are 2 options here.  When you enable 2fa we display the Secret Key. If you write that key down and keep it in a safe place you can use it to enable 2fa from a different device or a new phone when you get it.

The second option will require you to provide us with some information about your account.

Please provide us with the following information.  Note that the higher the account value, the more details we will require.
1) Recent ip addresses you have logged into site with (You can find this by visiting, https://goo.gl/X3dxsh )
2) Recent transaction ids for any withdrawals and deposits you have made to Bittrex
3) Recent balances in your account

For Accounts valued at over $1000 USD we will require additional information for proof of identity.

1) 2 forms of government identification and a selfie of you holding one of those identifications where we can match your face. Please make sure the text on your ID is readable in all photos.




Lastly, for those of you turning on 2fa, please make sure you do so from a computer that may not be compromised.  If the attacker has access to your computer they may be able to see the secret key when you turn on 2fa and add it to their own device.   So again, please make sure you are turning on 2fa from a freshly installed OS or a machine that was not possibly part of your accounts compromise.

Thanks,

Ryan @ Bittrex

[leigh2k14]

This is a weird mystery and where is the report(s) of failed login attempts.
AKA:email notifications on 2Fa users.. get it?

Apparently i am FUD'ing..
I like to call it Scientific procedure.

Being an inside job at Bittrex has not been ruled out.
Nor has Bittrex itself being hacked.
Sorry Bittrex guys but that is the truth.. your "word" is just not going to cut it.

I wish i had local access to all machines to check them out for you all.

I'd like to see the OP maybe build a profile of sorts.
Start by listing any downloaded/Compiled crypto programs such as Miners or Wallets.
And maybe list your Browser + OS too.. and if 2FA was on. (plus IP's of course)

What is it here now 3 guys that have come forward?

From the sounds of it i think the blame is either on Bittrex or the local users.
And more & more i am thinking it was a staff member behind it.
Maybe skimming account funds for ages with "you got hacked" stories.
But who ever is doing it, started doing it too much lately.

Bittrex you don't get the benefit of the doubt.. nobody in Crypto does.
That is what i call common-sense.

I hope that your theory is not true, bittrex has been a pretty solid exchange, but if it is true then it would be the end for them.

Even if it was true, how would we prove it?

[richiela]

Firstly, please stop trying to generate fud; its completely unproductive.  If our servers were compromised, there are way easier ways to get your money out.  It doesn't make any sense. What I can tell you is that there have been multiple accounts hacked with the same pattern, all within the last 48 hours.  I can also tell you that none of the affected accounts had logins from suspicious or unknown IPs which leads us to believe it is a rooted machine vs credential lost.  Lastly, this isn't specific to an OS based on the UA strings we've seen which points to some kind of browser plugin/toolbar.   Please crowdsource this to figure out commonalities and please turn on 2fa if you do not have it on.

Thanks
richie@bittrex

Looks like i was mistaken... after a couple ticket responses and going back further in some cases... there have been login from IPs unknown.  Please focus on finding a common denominator to these attacks.

@spoetnik: it is complete fud and you know it.  scientific procedures requires actual proof.  I can tell you that we have not been hacked because the ramifications would be way worse and more evident.  It is also not possible for it to be an insider because there are only 4 (3 founders + chiznitz) of us that work here. All of us have much easier ways to steal money if we wanted to.  If you have actual proof, please provide it;  if not, lets focus on a common denominator.  I'd like an answer to this as much as everyone else.

richie@bittrex