Anyone else have BTC stolen in the strongcoin leak?

[leetbix]

Hi just registered here. I lost around BTC17 I had stored on strongcoin over Easter during the site vulnerability leak.

I originally posted about it on the /r/bitcoin sub over at reddit.com. I wasn't sure how the whole thing went down initially but I've since worked out how it happened. I thought I'd post a thread here to share what I've learned and ask if anyone else has lost any coins.

First things first, yes I know there is much derision within the bitcoin community for people "dumb" enough to use online wallets. I get it so please hold the lecture about that.

The reason people use and will continue to want to use online wallets is that right now there doesn't seem to be an elegant solution for having your BTC with you while while using several different devices. Managing my BTC on 5 different devices without storing the wallet on a third party site was not something I was willing to invest the time into figuring out. I had bought the BTC to play around with about a year or more ago and had pretty much forgotten about it until the recent price increase happened.

Suddenly my < $200 in BTC was sitting at ~$1500. I was looking to spend them within the BTC marketplace when I was hacked.

[1715425235]

1715425235

[1715425235]

1715425235

[leetbix]

Ok well there doesn't seem to be much interest in this topic but I will post some info for posterity. There seems to be a bit of confusion about how much risk strongcoin users have been exposed to so I will post what happened to me.

Basically when you log into strongcoin and go to the account page for one your specific BTC addresses you were shown the following:

BTC address
Password hint for the private key
Encrypted hash of your private key
Balance
Transaction history

The vulnerability in the site enabled any logged in user to make a slight modification to the url of their account page and BAM suddenly you are on the page of some other guys account, with all of the above information visible.

Most people discussing this have mainly been talking about focusing on the fact the the password clue is visible, so an attacker would see a high balance account and proceed to guess the password using the clue.

I have not heard of anyone getting their BTC stolen by this method and it's not what happened to me. I didn't use a password hint.

What actually happened to me was my private key was burte forced. Because I only had an 8 character alpha numeric password, it was obviously easy enough for them to crack.

IMPLICATIONS:

Assume every private key hash for every strongcoin account at the time of the breach has been exposed, and is being actively cracked. Change your password to one that will be complex enough to not be worth cracking.

NOTE:

Strongcoin have fixed the vulnerability, and now the private key hash and clue information are no longer visible on the account page.