Bitcoin Forum
October 17, 2018, 06:49:37 AM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Forum database compromised?  (Read 2984 times)
kano
Legendary
*
Offline Offline

Activity: 2604
Merit: 1056


Linux since 1997 RedHat 4


View Profile
October 04, 2016, 08:43:09 AM
 #1

I take it that in one of the recent forum ddos's the database was hacked?

I have an email address that is only here on the forum and no where else.

Yesterday I received  spam to that email address, and the spam was bitcoin related.

My email is (and always has been) hidden.

Thus the only reason this would happen would be one of:
1) Someone guessed my forum email address (unlikely)
2) the forum database was compromised.

Most of the spam email header:

Code:
Return-Path: <nzcaurwhl@inc-hack.su>
Received: from maambacoal.com (mail.maambacoal.com [209.133.7.59] (may be forged))
by *** with ESMTP id u93LOoWp022675
for ***; Tue, 4 Oct 2016 08:24:51 +1100
Received: (qmail 30426 invoked by uid 89); 3 Oct 2016 21:24:50 -0000
Received: from unknown (HELO mail.draftcargoways.com) (webindia@maambacoal.com@209.11.159.25)
  by maambacoal.com with ESMTPA; 3 Oct 2016 21:24:50 -0000
Received: (qmail 27651 invoked by uid 89); 3 Oct 2016 21:24:48 -0000
Received: from unknown (HELO 185.125.4.158) (chef@radissongrt.com@185.125.4.158)
  by mail.draftcargoways.com with ESMTPA; 3 Oct 2016 21:24:48 -0000
Message-ID: <C63C755A77A38D2EF2F7BE032782C124@185.125.4.158>
Reply-To: "Bitcoin Market" <admin@inc-hack.su>
From: "Bitcoin Market" <nzcaurwhl@inc-hack.su>
To: ***
Subject: Samsung S6 Edge = 99$ (Black market Haacking)
Date: Mon, 3 Oct 2016 23:24:47 -0700
Organization: Bitcoin Market
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_17AB_01D21DCD.550BE5F0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416

Pool: https://kano.is Here on Bitcointalk: Forum BTC: 1KanoPb8cKYqNrswjaA8cRDk4FAS9eDMLU
FreeNode IRC: irc.freenode.net channel #kano.is Majority developer of the ckpool code
Help keep Bitcoin secure by mining on pools with full block verification on all blocks - and NO empty blocks!
1539758977
Hero Member
*
Offline Offline

Posts: 1539758977

View Profile Personal Message (Offline)

Ignore
1539758977
Reply with quote  #2

1539758977
Report to moderator
1539758977
Hero Member
*
Offline Offline

Posts: 1539758977

View Profile Personal Message (Offline)

Ignore
1539758977
Reply with quote  #2

1539758977
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1539758977
Hero Member
*
Offline Offline

Posts: 1539758977

View Profile Personal Message (Offline)

Ignore
1539758977
Reply with quote  #2

1539758977
Report to moderator
1539758977
Hero Member
*
Offline Offline

Posts: 1539758977

View Profile Personal Message (Offline)

Ignore
1539758977
Reply with quote  #2

1539758977
Report to moderator
SaltySpitoon
Legendary
*
Offline Offline

Activity: 1918
Merit: 1108


Welcome to the SaltySpitoon, how Tough are ya?


View Profile
October 04, 2016, 09:00:25 AM
 #2

To my knowledge, the recent DDOS attacks were just annoying. I haven't heard anything from Theymos about a security breach or potential security breach. If one had happened, or even if there was the slightest suspicion that someone could have gained access to any forum private information, Theymos would have warned everyone and asked that they changed their account details.

.FORTUNE.JACK.
      ▄▄███████▄▄
   ▄████▀▀ ▄ ██████▄
  ████ ▄▄███ ████████
 █████▌▐███▌ ▀▄ ▀█████
███████▄██▀▀▀▀▄████████
█████▀▄▄▄▄█████████████
████▄▄▄▄ █████████████
 ██████▌ ███▀████████
  ███████▄▀▄████████
   ▀█████▀▀███████▀
      ▀▀██████▀▀
         
         █
...FortuneJack.com                                             
...THE BIGGEST BITCOIN GAMBLING SITE
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██
█████████▀███████████▄
██████████▀   ▀██████████
█████████▀       ▀█████████
████████           ████████
████████▄   ▄ ▄   ▄████████
██████████▀   ▀██████████
 ▀██
█████████████████████▀
  ▀██
███████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
#JACKMATE
WIN 1 BTC
▄█████████████████████████▄
███████████████████████████
███████████████████████████
██████████▀█████▀██████████
███████▀░░▀░░░░░▀░░▀███████
██████▌░░░░░░░░░░░░░▐██████
██████░░░░██░░░██░░░░██████
█████▌░░░░▀▀░░░▀▀░░░░▐█████
██████▄░░▄▄▄░░░▄▄▄░░▄██████
████████▄▄███████▄▄████████

███████████████████████████
███████████████████████████
▀█████████████████████████▀
altcoinhosting
Hero Member
*****
Offline Offline

Activity: 840
Merit: 1000


View Profile
October 04, 2016, 09:04:11 AM
 #3

A DDOS has nothing to do with potential security breaches... The "hackers" just send so many requests a service stops responding... Hence the name "Distributed Denial Of Service" Wink

Stealing database information is something completely different, and since Theymos only reported a DDOS, i don't think there should be a problem.

The database was leaked over a year ago tough... Do you still have the same email on file as you did a year ago? If this is the case, they just might be started sending spam emails to the database they got back then (but this is old news).

 

                                       
      ░█████    ████████████████▓     
     ▓██████    ██████████████████     
     ███████    ██████████████████     
                ██████████████████     
                ██████████████████     
     ███████    ██████████████████     
     ███████    ██████████████████     
     ███████    ██████████████████     
     ███████    ██████████████████     
                                       
                                       
     ███████    ███████    ███████     
     ███████    ███████    ███████     
      ▓█████    ███████    ██████   
LedgerWallet








                                                            ▒▓▓▓               
                                                         ▓█▓▓▓▓▓▓▒▓           
                                                     ░▓█▓▓▓▓▓▓▓▓▓▓▓▓▒▓         
                                                  ░▓█▓▓▓▓▓▓▓▓▓▓▓▒▓▓▓▓▒░▒▒     
                                               ░█▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓▓▓▓   
                                            ░█▓▓▓▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓▓▓▓▓▓▒▓▓▓▒     
                                         ░█▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓▒▓▓▓▒       
                                      ░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒           
                                 ▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓             
                              ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓▓███▒                 
                          ▒▒▒▒▒▒▒▒▒▒▓▓▓███▓▓▒▒▒▒▒▒▓▓▓▓▓███▓                   
                       ░▒▒▒▒▒▒▒▒▒▒▒▒▒█▓▓█▓▓▒▒▒▒▒▒▓▓▓▓██▓                       
                    ░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██▓▓░                         
                 ░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓░                           
              ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒███▓▒                             
           ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒█▓▓█▓▒                               
        ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░▓█▓▓▓▒░                                 
     ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓████▒                                     
  ░░░░░░░░░░░░░░░░░░▒░░░░░░░░░░▒▓████▒░                                       
▓░░░░░░░░░░▒▒▒▒░░░░░░░░░░░░░░▓████▒░                                           
▒▒▓▒░░░░░░░▒░░▒░░░░░░░░░░░▒████▒                                               
▓▓▒▒▒▓░░░░░░░░░░░░░░░░░▓████▒░                                                 
  ▒▓▓▒▒▓▒░░░░░░░░░░░▒████▒░                                                   
     ▓▓▒▒▒▓▒░░░░▒████▓▒                                                       
       ▒▓▓▒▒▒▒▒████▒░                                                         
          ▒▓▒▓█▓▒░                                                             
            ░░░         
...Smartcard based  Hardware Wallet...
Second factor            Malware Proof          Worldwide Shipping   
A!
Full Member
***
Offline Offline

Activity: 155
Merit: 100



View Profile
October 04, 2016, 09:13:31 AM
 #4

When you started using your email? It is a general knowledge that the forum database was compromised a couple of times in the past.

BitHodler
Legendary
*
Offline Offline

Activity: 1050
Merit: 1068


View Profile
October 04, 2016, 10:29:09 AM
 #5

If they got your email due to to database being hacked, then they most likely would mass send their spam to extend their possible reach.

So far I have not received any email spam since the very beginning of me joining here.

What also happens is that spam mail bots simply send out made up emails to people in the hope they guess them right.

For example, they send emails to fatjoe1@outlook.cok fatjoe2@outlook.com and the list goes on.

All in the hope that one or more of these mails are guessed correctly.

kano
Legendary
*
Offline Offline

Activity: 2604
Merit: 1056


Linux since 1997 RedHat 4


View Profile
October 04, 2016, 10:36:11 AM
 #6

If they got your email due to to database being hacked, then they most likely would mass send their spam to extend their possible reach.

So far I have not received any email spam since the very beginning of me joining here.

What also happens is that spam mail bots simply send out made up emails to people in the hope they guess them right.

For example, they send emails to fatjoe1@outlook.cok fatjoe2@outlook.com and the list goes on.

All in the hope that one or more of these mails are guessed correctly.
Nah, I run my own email servers - definitely not found by guessing - I'd see the other attempts.
However, it is the same email I've had here for 5 years, but the first time I've had spam sent to it.

But yes my comment about DDoS was of course implying that it wasn't Smiley

Ah well, I have about 700 email addresses for this reason, time to close this one and create another new one ...
... and I've again received that spam twice more in the last couple of hours Tongue

Pool: https://kano.is Here on Bitcointalk: Forum BTC: 1KanoPb8cKYqNrswjaA8cRDk4FAS9eDMLU
FreeNode IRC: irc.freenode.net channel #kano.is Majority developer of the ckpool code
Help keep Bitcoin secure by mining on pools with full block verification on all blocks - and NO empty blocks!
DarkStar_
Legendary
*
Offline Offline

Activity: 1120
Merit: 1427

*dabs*


View Profile WWW
October 04, 2016, 01:54:02 PM
 #7

Nah, I run my own email servers - definitely not found by guessing - I'd see the other attempts.
However, it is the same email I've had here for 5 years, but the first time I've had spam sent to it.
If you have had the email on your bitcointalk profile (even hidden counts), than it was probably in the forum data breach from 2015. I don't think it was very easily obtainable/required a payment to get it until recently, since I've noticed that sites like leakedsource have added the database. I suggest searching your email up in https://www.leakedsource.com/ and see if it is from that leak.

deisik
Legendary
*
Online Online

Activity: 1722
Merit: 1058


English ⬄ Russian Translation Services


View Profile
October 04, 2016, 03:26:08 PM
 #8

If they got your email due to to database being hacked, then they most likely would mass send their spam to extend their possible reach.

So far I have not received any email spam since the very beginning of me joining here.

What also happens is that spam mail bots simply send out made up emails to people in the hope they guess them right.

For example, they send emails to fatjoe1@outlook.cok fatjoe2@outlook.com and the list goes on.

All in the hope that one or more of these mails are guessed correctly.
Nah, I run my own email servers - definitely not found by guessing - I'd see the other attempts.
However, it is the same email I've had here for 5 years, but the first time I've had spam sent to it

If you run your own mail servers, could one of them get compromised somehow giving out your email addresses? Also, are you absolutely sure that you didn't share this email somewhere yourself? I've seen a lot of cases when people did something and then honestly claimed that they didn't do that only to get greatly surprised to find out later that it was actually them...

How old are you? Just kidding, lol
kano
Legendary
*
Offline Offline

Activity: 2604
Merit: 1056


Linux since 1997 RedHat 4


View Profile
October 05, 2016, 03:28:54 AM
 #9

If they got your email due to to database being hacked, then they most likely would mass send their spam to extend their possible reach.

So far I have not received any email spam since the very beginning of me joining here.

What also happens is that spam mail bots simply send out made up emails to people in the hope they guess them right.

For example, they send emails to fatjoe1@outlook.cok fatjoe2@outlook.com and the list goes on.

All in the hope that one or more of these mails are guessed correctly.
Nah, I run my own email servers - definitely not found by guessing - I'd see the other attempts.
However, it is the same email I've had here for 5 years, but the first time I've had spam sent to it

If you run your own mail servers, could one of them get compromised somehow giving out your email addresses? Also, are you absolutely sure that you didn't share this email somewhere yourself? I've seen a lot of cases when people did something and then honestly claimed that they didn't do that only to get greatly surprised to find out later that it was actually them...

How old are you? Just kidding, lol
None of the many email servers I've been running for the last 15 years have yet to be compromised.
I did once have a computer at home running linux, compromised once ... back around 1998.

Lulz I guess you mistakenly give your email address out Tongue

As I said above, I have over 700 (with many domains I own), coz each one only gets given to one place.
Helps with spam a lot - easy to delete one email address without affecting anything else - and know who was compromised.

I had 3 addresses on adobe and yep those 3 got spam soon after adobe was compromised a while back.
I had one on the bfl web site that got spam, though they probably sold the email list Tongue
Probably had half a dozen places in the last 5 years where the sites have either been compromised or given out their address list ...

But fortunately in each case I simply have to delete the address with zero care.
I keep a few very old addresses that get spam, for filter training - they get something of the order of 500 spam messages each day.

Pool: https://kano.is Here on Bitcointalk: Forum BTC: 1KanoPb8cKYqNrswjaA8cRDk4FAS9eDMLU
FreeNode IRC: irc.freenode.net channel #kano.is Majority developer of the ckpool code
Help keep Bitcoin secure by mining on pools with full block verification on all blocks - and NO empty blocks!
Zosuda
Member
**
Offline Offline

Activity: 92
Merit: 10


View Profile
October 05, 2016, 07:18:28 AM
 #10

ddos attack and they stole accounts thats impossible right?
vino.gcs
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
October 05, 2016, 07:36:11 AM
 #11

D-DOS has nothing to do with database compromise. D-DOS is just trick of newbies to try to overflow the server's bandwidth. It's not even level 1 security breach.
justspare
Hero Member
*****
Offline Offline

Activity: 882
Merit: 525


One of the world's leading Bitcoin-powered casinos


View Profile
October 05, 2016, 10:08:31 AM
 #12

To my knowledge, the recent DDOS attacks were just annoying. I haven't heard anything from Theymos about a security breach or potential security breach. If one had happened, or even if there was the slightest suspicion that someone could have gained access to any forum private information, Theymos would have warned everyone and asked that they changed their account details.
So it's just people trying to be idiots and annoy the people on this forum. If there was no security threat then I don't even know why we are talking about it.

ryanc
Member
**
Offline Offline

Activity: 103
Merit: 40


View Profile WWW
October 05, 2016, 02:18:23 PM
 #13

I am also seeing this. I use a unique email address that is a long string of random alphanumeric characters - too many to guess. It was added to my bitcoin talk account February 2013.

One from "BitCoin-Carrding" admin@ink-hack.su, and just now 'Eden Smizaski invited you to view the file "WorldPay_Trade_Report_-_ September 2016.zip" on Dropbox.' which is a zipfile full of nasty obfuscated javascript.
maurits150
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
October 05, 2016, 02:26:52 PM
 #14

I am also seeing this. I use a unique email address that is a long string of random alphanumeric characters - too many to guess. It was added to my bitcoin talk account February 2013.

One from "BitCoin-Carrding" admin@ink-hack.su, and just now 'Eden Smizaski invited you to view the file "WorldPay_Trade_Report_-_ September 2016.zip" on Dropbox.' which is a zipfile full of nasty obfuscated javascript.

Can confirm, got the same email to a 100% unique email address. I can guarantee you that this email was not used anywhere else.

Database was definitely compromised. (probably the 2015 hack) and finally spreading now.

https://maurits.tv/data/img/October%202016/2016-10-05_16-24-56_Gca8ETgZXI.png
Atomicat
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000



View Profile
October 05, 2016, 02:47:04 PM
 #15

It is always a good practice to change your password if you believe that the forum database was compromised.

IIRC, Theymos is using doublesha256 to store the password in the database so if your password is pretty decent it would be a long time before its compromised.
ryanc
Member
**
Offline Offline

Activity: 103
Merit: 40


View Profile WWW
October 05, 2016, 03:08:21 PM
 #16

IIRC, Theymos is using doublesha256 to store the password in the database so if your password is pretty decent it would be a long time before its compromised.

That would be *very* weak as a password hashing algorithm, and I doubt this is true. Simple Machines Forum seems to use salted sha1 as the default.

Edit: On LeakedSource, it says very old passwords were hashed with md5 and newer ones were hashed with sha256crypt (which is salted and slow).
Atomicat
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000



View Profile
October 05, 2016, 03:22:09 PM
 #17

IIRC, Theymos is using doublesha256 to store the password in the database so if your password is pretty decent it would be a long time before its compromised.

That would be *very* weak as a password hashing algorithm, and I doubt this is true. Simple Machines Forum seems to use salted sha1 as the default.

Edit: On LeakedSource, it says very old passwords were hashed with md5 and newer ones were hashed with sha256crypt (which is salted and slow).
IIRC, Theymos reset the passwords of very old accounts and the only way to get back access is via email.

Its highly probable that Theymos reset the passwords of accounts without salt too or accounts using the old hashing algorithm.
SaltySpitoon
Legendary
*
Offline Offline

Activity: 1918
Merit: 1108


Welcome to the SaltySpitoon, how Tough are ya?


View Profile
October 05, 2016, 03:39:48 PM
 #18

This is all in relation to the 2015 database leak, there hasn't been any compromise lately:
Quote from: theymos
Passwords are hashed with 7500 rounds of sha256crypt and a unique salt per password (roughly equivalent to bcrypt with work=12.8). This is very strong. But nothing's going to stop extremely weak passwords from being broken.

Theymos has mentioned the possibility that other Bitcoin related sites and services may have had their databases leaked as well, and those with the same emails and passwords as here would have been compromised. As he said above, the passwords are encrypted pretty well. 

.FORTUNE.JACK.
      ▄▄███████▄▄
   ▄████▀▀ ▄ ██████▄
  ████ ▄▄███ ████████
 █████▌▐███▌ ▀▄ ▀█████
███████▄██▀▀▀▀▄████████
█████▀▄▄▄▄█████████████
████▄▄▄▄ █████████████
 ██████▌ ███▀████████
  ███████▄▀▄████████
   ▀█████▀▀███████▀
      ▀▀██████▀▀
         
         █
...FortuneJack.com                                             
...THE BIGGEST BITCOIN GAMBLING SITE
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██
█████████▀███████████▄
██████████▀   ▀██████████
█████████▀       ▀█████████
████████           ████████
████████▄   ▄ ▄   ▄████████
██████████▀   ▀██████████
 ▀██
█████████████████████▀
  ▀██
███████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
#JACKMATE
WIN 1 BTC
▄█████████████████████████▄
███████████████████████████
███████████████████████████
██████████▀█████▀██████████
███████▀░░▀░░░░░▀░░▀███████
██████▌░░░░░░░░░░░░░▐██████
██████░░░░██░░░██░░░░██████
█████▌░░░░▀▀░░░▀▀░░░░▐█████
██████▄░░▄▄▄░░░▄▄▄░░▄██████
████████▄▄███████▄▄████████

███████████████████████████
███████████████████████████
▀█████████████████████████▀
Decoded
Legendary
*
Offline Offline

Activity: 1078
Merit: 1013


lllllllllllll


View Profile
October 06, 2016, 04:11:42 AM
 #19

IIRC, Theymos is using doublesha256 to store the password in the database so if your password is pretty decent it would be a long time before its compromised.

That would be *very* weak as a password hashing algorithm, and I doubt this is true. Simple Machines Forum seems to use salted sha1 as the default.

Edit: On LeakedSource, it says very old passwords were hashed with md5 and newer ones were hashed with sha256crypt (which is salted and slow).

I remember Theymos saying somewhere that he heavily invested (40 bitcoin) in setting up extremely strong password hashing.

Passwords defenitely not stored in plaintext, then Smiley
ryanc
Member
**
Offline Offline

Activity: 103
Merit: 40


View Profile WWW
October 06, 2016, 02:08:00 PM
 #20

Overnight, I got the same email to both my butterfly labs email address and bitcointalk address.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!