Here is what happened for those who wants to read:
So here is the deal, I was renting hash for Zcash and Zclassic for the past couple of days. I had 0.24 btc left in my account. Today I decided to check my account and saw that there was an open order that wasn't by me.
The hacker put a 2fa code, WHICH CAN'T BE DONE WITH EMAIL CONFIRMATION ANY WHERE IN THE WORLD EXCEPT THE POORLY CODED NICEHASH INTERFACE, and I was unable to withdraw my btc immidietly. I changed my password from a fresh computer due to the risk of having a keylogger on my computer.
GUESS WHAT?! Poorly coded nicehash website didn't force previously logged in people to logout after a password reset. What a joke?! Is this 2001 dial up internet years all over again?
So, while I thought I was safe because I changed my password and the regular website behaviour is to force everyone else out that is logged in with previous password. I went to bed. Woke up to see if nicehash responded my email.
They asked me to send certain amount of btc to my deposit address to verify its actually me. And I did. Than wanted check if my deposit was in wallet page.
I noticed my 0.22 was fully gone. Poorly coded nicehash website didn't force previously logged in hacker, neither did the support blocked his IP even though they have been INFORMED that it was a hacker.
I request a refund of my hardly earned 0.22 BTC. I accept that the first hack was my responsibility but the rest security leaks was caused by nicehash's poor coding.
Can you explain why there are no simple basic protections:
1. When password is changed, site must force all logged in users out. SIMPLEST RULE.
2. When someone wants to set a 2FA, an email verification should be needed. SIMPLEST RULE #2.
3. I deactivated hacker's 2FA with your code and created my own 2FA, but hacker WAS ABLE TO RENT HASH SOMEHOW. HOW CAN THIS BE IF THERE ARE NO SECURITY BREACHES?
4. I opened a withdrawel request, he could have cancelled and battled me again by putting orders, but he didn't, or more importantly HE COUDLN'T.
5. I informed nicehash of the hack when only 0.02 was gone, they didn't LOCK THE ACCOUNT. Every other exchange or renting service out there locks the account immidietly.
6. Why nicehash doesn't have basic protection safe guard to protect their costumer's funds?
So basically you are lying infront of everyone reading. HACKER WAS ABLE TO PUT AN ORDER EVEN WHEN I RESETTED 2FA AND PUT IN ON MY PHONE. You are either working with the hackers and hoping no one will notice or be loud enough or you just don't care about your costumer's funds.
I SPOTTED HACK WITH A MINIMAL LOSE, ONLY 0.02. AND THATS ON ME, MY RESPONSBILITY. BUT THAN I CHANGED MY PASSWORD AND EMAILED TO YOU IMMIDIETLY. After that, IT IS YOUR RESPONSIBILITY.
You are no different than those "hacker Russians" if you keep on insisting that your faulty, poorly coded weak system just helps HACKERS STEAL THE FUNDS. There is even no IP notification.
I demand a compensation of my stolen funds THAT ARE CAUSED BY YOUR FAULTS and you to accept responsbility and correct your site's mistake. I will not stop following this and will be informing everyone, everywhere. You can't get away with this.
Basically, I felt safe after I changed my password and lost the remaining btc.
Niki on nicehash confirmed there was an issue with their security:https://www.reddit.com/r/NiceHash/comments/5cb1a4/nicehash_made_me_lose_022_btc_i_ask_for_a_refund/d9w3f2f/
