I have hardly played quiet... i've been in here every day trying to help figure out how < 10 accounts got compromised; but at this point, it is not productive nor a good use of my time. Feel free to have the authorities contact us.
thanks,
richie
Could you please tell me how exactly you did this, except sending everyone logs with the same info?
Allright, you say that you guys are experts in security.
First you say that all IPs were known and usual for the users, while even in the logs it shows as Unknown IP.
So, after TWO DAYS you said that you were mistaken and IPs were unknown.
First you say that there were multiple accounts hacked, and then you say it was a couple, now you say you don't care, because less than 10 accounts got compromised. You would feel better, if we would be talking about 1000+ accounts?
I guess I shoud repeat my questions here:
How many accounts compromised out there? Is that multiple or a couple?
Do these accounts have anything in common except absence of 2fa?
Are all the accounts of the attacker are new or he used some old accounts?
Are all the IPs of the attacker are different each time?
What coins and exact BTC/alts addresses were used to withdraw the funds?
Why in your opinion only Bittrex accounts were compromised?
Now, the most important question:
Why you haven't enforced 2fa, haven't published any alerts, or introduced email notifications on each login/trade?
When people say you played quiet, they mean that you did nothing to prevent more people from loosing their money.
No announcements, no alerts, no e-mail notifications... Nothing!
Have you put your exchange into maintenance mode or paused the trades? No!
Why? Because I guess you care more about your profits, not people!
You were silently watching people being robbed all these days
That's all I wanted to say about it.
Ryan Hentz (Bittrex)
Apr 2, 19:08
Hi,
Our records show that all orders placed on your account were done so from your typical login ip. This means the attacker somehow has access to your machine. Have you installed any new software recently? This includes things like browser plugins.
The attacker also immediately withdrew the coins from his account via the api. There is no way to recover the funds.
Please make sure to enable 2fa to protect your account from being breached in this way.
Thank you,
Ryan
Firstly, please stop trying to generate fud; its completely unproductive. If our servers were compromised, there are way easier ways to get your money out. It doesn't make any sense. What I can tell you is that there have been multiple accounts hacked with the same pattern, all within the last 48 hours. I can also tell you that none of the affected accounts had logins from suspicious or unknown IPs which leads us to believe it is a rooted machine vs credential lost. Lastly, this isn't specific to an OS based on the UA strings we've seen which points to some kind of browser plugin/toolbar. Please crowdsource this to figure out commonalities and please turn on 2fa if you do not have it on.
Thanks
richie@bittrex
Looks like i was mistaken... after a couple ticket responses and going back further in some cases... there have been login from IPs unknown. Please focus on finding a common denominator to these attacks.
richie@bittrex
2) Your logic about malware is flawed. Do you think if any of our servers were compromised in any way, all you would see is a couple of non-2fa'd account drained using a bad trading method? It doesn't make sense.
3) Lastly, I am not calling our users noobs, but we collectively are the experts here when it comes to security and how exchanges work. I'm not sure how anyone can claim something different when it comes to how an exchange works. I also get paid to do security for a living - I assert, rightly or wrongly, I do know more about this topic than most people.
When faced with a problem, the most obvious answer is usually the right one once you have ruled out the others. Instead wasting our time with this entire line of discussion, I'd rather have users figure out what the common denominator is and narrow down what caused this. There's an obvious pattern; i'd like to find it.
-richie@bittrex
