**OFFICIAL? - My BTC-e Account Got Hacked and All Funds Stolen thread

[phr0stbyt3]

**Please try to keep this as factual as possible**
I'm not wanting to defame anyone here, but I think everyone deserves an explanation.
Support has not responded to me since I regained access and definitively said "My coins were stolen"

I haven't seen a unifying thread yet so I thought I would start one.
Please post here if your BTC-e account was compromised and you lost funds of any kind. Please give details like time/date/$$ lost.
Transaction details if you regained access to your account and saw that someone else withdrew funds.

Edit: April 4, 2013 - Still no official statement from BTC-e about account breaches over the last week. Officially requested BTC reimbursement for lack of security measures, waiting to hear back.

[1715061176]

1715061176

[1715061176]

1715061176

[ThiagoCMC]

Hi!

I can't login! So, I can't check my balance.

The support ticket system DOES NOT WORK.

They do not answer my e-mail.

-
Thiago

[ThiagoCMC]

Hi!

I can't login! So, I can't check my balance.

The support ticket system DOES NOT WORK.

They do not answer my e-mail.

-
Thiago

Guys!

I'm logged! My money (BTC balance) is there... (whew)

Tks!
Thiago

[IIOII]

Confirming LTC stolen from my account on 8th April.

Will not post detail here - sent support ticket to BTC-e.


Edit:
I did have a pending sell order which was not executed. My fault.

BTC-e response was swift.

[Atompeace]

I can't login anymore. Says "invalid e-mail" or something like that. Got blocked now.
Any chance to get my money back?

[EvilLizardApparel]

8th of April, 8565 LTC stolen. Been in contact with support. No answer to what happened yet, if it was bruteforce, how they changed my email and cracked a very meticulous password, and what IP address they accessed my account from. Lost access to account while 20,000+ guests connected (got up to ~30,000 guests), started getting "bad password" and email confirmations stopped working. Support said "24 hours, more checking" then opened my account with no money in it.

[kelpy]

Only for my personal information.

You have activated some API key with 'withdraw' privilege??

[EvilLizardApparel]

Only for my personal information.

You have activated some API key with 'withdraw' privilege??

No API, Idon't use bots.

[Rawted]

Never, ever, under any circumstance, keep your cryptocurrency sitting in an exchange wallet. BTC-e is the same exchange that people have lost thousands of coins too, has been hacked, and the 'owner' was the central authority in the NVC scam. You shouldn't trust them. Only keep enough coins in any online wallet that you will be using or trading with that day.

[bradmurmz]

I had a total of 200BTC stolen from my account last night! The same thing happened to me where I was locked out of my account and the email was changed so I could not reset my password.

[Fiyasko]

I had a total of 200BTC stolen from my account last night! The same thing happened to me where I was locked out of my account and the email was changed so I could not reset my password.

This is all very fishy and they are no longer responding to my support ticket. I have evidence and reason to believe (which I'm compiling now) that this was someone inside btc-e...

I think im in agreeance with you, I read a post about the BTC-e guys connecting to someones server and "looking into him"

Your computers are not infected... this is a problem with btc-e. They did not respond to my support request, but I have a service that records visitors actions on my website. Shortly after I put in a support message telling them my situation, someone from Krasnoyarsk Russia accessed my website looking into me and through my site, but did not respond! I then told support I saw them on my server and sent them their IP (which accessed my site), then they responded asking for my email and that is all I have gotten from them so far!!

We need to look into this robbery thats happening at BTC-e, They may verywell have gone crooked.
And even if they havent, this is a FUCKING serious issue!

Never, ever, under any circumstance, keep your cryptocurrency sitting in an exchange wallet. BTC-e is the same exchange that people have lost thousands of coins too, has been hacked, and the 'owner' was the central authority in the NVC scam. You shouldn't trust them. Only keep enough coins in any online wallet that you will be using or trading with that day.

[EvilLizardApparel]

Other accounts affected include the ones listed here (Some people had to post in newbie thread, new accounts with not enough posts)
https://bitcointalk.org/index.php?topic=170592.60

And other people have been posting about their money/coins being stolen in the last few days, in the last few pages of main BTC-e Thread.

[Fiyasko]

https://bitcointalk.org/index.php?topic=173067.0;topicseen
A whole thread of people having Hacked BTC-E accounts

[laughingbear]

If only someone could have warned you this might happen

[z12]

For the records, I lost my account with 30.48 ltc in it.
I was logged in and chatting in the trollbox when it happened. Suddenly it said you need to sign in to enter a message, And no, i did not click any link. I already listed websites i browsed for the pas week but it seems irrelevant since the breach was on their end.
I still can't access my account

[bradmurmz]

https://blockchain.info/taint/1MHj7nmHtHtvwxbwaUbax5cywebvdrsZA8

This is where my funds were sent...

[phr0stbyt3]

Hi!

I can't login! So, I can't check my balance.

The support ticket system DOES NOT WORK.

They do not answer my e-mail.

-
Thiago

Guys!

I'm logged! My money (BTC balance) is there... (whew)

Tks!
Thiago

I'm relieved to know this worked out for you!! Some of us were not so lucky 

[phr0stbyt3]

Never, ever, under any circumstance, keep your cryptocurrency sitting in an exchange wallet. BTC-e is the same exchange that people have lost thousands of coins too, has been hacked, and the 'owner' was the central authority in the NVC scam. You shouldn't trust them. Only keep enough coins in any online wallet that you will be using or trading with that day.

This doesn't address mid-trading account breaches.

[moni3z]

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked, or worse you get 0day java exploit. if you didn't click anything in trollbox and you're not running a zombied botnet computer and you're still getting funds stolen, then yes, btc-e is insecure either it's API is cracked or owner possibly stealing (unlikely, why would they do this). if you clicked trollbox links you owned yourself there's nothing they can do. there's a guy in trollbox right now pasting in exploit links inside imgur pics

they're also posting same images and flash vids full of malware to reddit as well. ppl are also doing dumb things like using a similar name in trollbox that is close to their email, so they just need to brute force your email while you trade and if you don' t have gmail 2-factor set up p0w all your coins are gone

- use 2 factor ID for your email, and on btc-e
- use different passwords
- don't use same name in trollbox as your email root
- don't click on anything in PM or trollbox
- install noscript and enable it only for certain sites you trust
- ???
- profit

[btc-e.com]

https://btc-e.com/news/131

unctional confirmation of the withdrawal through the mail.

To use a functional need to confirm email - https://btc-e.com/profile#edit/home
Activate protection - https://btc-e.com/profile#edit/security
After that, each withdrawal you will come to notice in the mail.
Today will be translated into English.

For complete safety, use different passwords on the stock exchange and mail, as well as recommend the use of e-mail gmail.com with two-factor authentication.

[TsuyokuNaritai]

https://btc-e.com/news/131

unctional confirmation of the withdrawal through the mail.

To use a functional need to confirm email - https://btc-e.com/profile#edit/home
Activate protection - https://btc-e.com/profile#edit/security
After that, each withdrawal you will come to notice in the mail.
Today will be translated into English.

For complete safety, use different passwords on the stock exchange and mail, as well as recommend the use of e-mail gmail.com with two-factor authentication.

It's horribly broken. Read the comments.

[phr0stbyt3]

if you clicked trollbox links you owned yourself there's nothing they can do. there's a guy in trollbox right now pasting in exploit links inside imgur pics

Disallow clickable links in chat for starters.

https://btc-e.com/news/131

unctional confirmation of the withdrawal through the mail.

To use a functional need to confirm email - https://btc-e.com/profile#edit/home
Activate protection - https://btc-e.com/profile#edit/security
After that, each withdrawal you will come to notice in the mail.
Today will be translated into English.

For complete safety, use different passwords on the stock exchange and mail, as well as recommend the use of e-mail gmail.com with two-factor authentication.

I've been using 2fa with gmail ever since my girlfriend accidentally changed my password.

I already responded to this in another thread actually:

I had already done those steps.
My passwords are different and very, very strong. How was my email address able to be changed in my account?
I noticed that when you try to change your email on the account you now get a confirmation email, has this -ALWAYS- been the case?
I did not get anything saying my email address had been changed after my account was breached, so I'm a little puzzled.

[samson]

This exchange as rogue they should get a scammer tag for this.

They also massively manipulate every currency traded.

[Bit_Happy]

I just got the unexpected logout, and would like to know if there is hope of a fast fix?

[ZephramC]

Well. Three days ago my LTC withdrawal was delayed by several hours. Later I got an answer from BTC-e that it was due to DDoS attack. Withdrawal made just several minutes ago completed successfully.

[kingcrimson]

I withdrew bitcoins from btc-e to my wallet yesterday afternoon, and it never arrived. It doesn't even show up on the blockchain. I don't know wtf happened or whose end the problem arrived.

[pekv2]

I withdrew bitcoins from btc-e to my wallet yesterday afternoon, and it never arrived. It doesn't even show up on the blockchain. I don't know wtf happened or whose end the problem arrived.

I guess if the withdraw fee's isn't deterring people from withdrawing, btc-e is now using another way so you can't withdraw.

WOW.

Shit just keeps going balls deeper.

[z12]

I think they are doing withdrawals manually even though the system marks the withdrawal as 'sent'. Wait and they'll arrive.


I still didn't get my access to my account back, Not even a word from support, let alone a refund 
I guess this thread is getting ready to be moved on scam accusations section.

[phr0stbyt3]

I'm still waiting for an official statement from BTC-e about the account breaches.
Anyone who has used them in the last 2 weeks will notice the SWEEPING changes they have made in a very small amount of time.

Username -> email login
Email support -> ticket support -> email support again

Also, sending an email confirmation to change the email address on your account is now in place. Good news for the future, but doesn't address how my email address was changed when my coins were taken.

I have formally email support asking for reimbursement of stolen coins. Waiting to hear back.

[jimmy3dita]

Add me to the list, fortunately my account was almost empty and -afaik- I haven't opened nothing that can lead to an injection or something similar.

Brute force maybe? My BTC pass -I've to admin- was simple.

By the way:
- email changed
- email not present in the database when recovering pass
- trying to register again "login already exist"

Reminds me of something happened with iTunes three years ago, again with no damage (prepaid cc).

Oh I forgot to mention that I've sent an email today, but no answer yet. It's ok if they also delete the account so I can register again with the same username (yet not with the same pass )

[Transisto]

I don't know how am I supposed to remember the email account used ?

BTC-e never sent me any email,  I had enabled email on widthrawal so maybe I should at least had gotten a notif to reconfirm it.

[doobadoo]

...
- install noscript and enable it only for certain sites you trust /
-
- profit

^ THIS ^  And to be more precise, you install no script (Firefox plugin) and make sure its set "Forbid Scripts Globally."  Then when you hit a site, choose to allow the javascripts which have addresses you can recognize as safe.  Go into Tools --> Addons and disable the Java plugin.  Might want to disable adobe flash too, but if you don't check to see you have most recent version.  Also  check that you have most recent Firefox version.

For you browsing other sites, run that in Chrome.  Only have your exchange tabs open in Firefox.  


If you use a blockchain.info wallet access the link in private browsing mode.  Don't bookmark the link either, drag the link to your desktop from the url bar. Rename the file something inconspicuous.  Back that file up!  Then load it by dragging it back to the URL bar.  Never copy and paste your secret online wallet link. I think that defeats the malware that might look thru your browsing history and bookmarks and clipboard.

[TimJBenham]

I never trust an exchange that charges a percentage fee to deposit.

[bradmurmz]

This was not an XSS attack!! 

This was obviously a simple SQL injection attack. If it was XSS how would they change the email without a verification email being sent. According to btc-e changing the email has always required a verification email to the previous address first!

All the attacker has done is found an SQL injection exploit which they use like so "UPDATE users SET email='f6a7b84c9a7c7f6e8@somespammymailer.com' WHERE username='theuser'"

Then they simply reset the password on the account and log in wiping out funds.


This was not the fault of any of us.... I've had 200BTC stolen and I'm still waiting on support to get back to me. I've gotten only two emails so far with a few words in each one. I really wish they would understand how I feel right now and would at least give me some reassurance that they plan on taking care of me. I really like btc-e exchange but at the moment am very upset with the level of professionalism of support!!

[laughingbear]

This was not an XSS attack!!  

This was obviously a simple SQL injection attack. If it was XSS how would they change the email without a verification email being sent. According to btc-e changing the email has always required a verification email to the previous address first!

All the attacker has done is found an SQL injection exploit which they use like so "UPDATE users SET email='f6a7b84c9a7c7f6e8@somespammymailer.com' WHERE username='theuser'"

Then they simply reset the password on the account and log in wiping out funds.


This was not the fault of any of us.... I've had 200BTC stolen and I'm still waiting on support to get back to me. I've gotten only two emails so far with a few words in each one. I really wish they would understand how I feel right now and would at least give me some reassurance that they plan on taking care of me. I really like btc-e exchange but at the moment am very upset with the level of professionalism of support!!

Or  btc-e stole the coins.  Im sorry this happened to you.  But what can you do?  what is the owners name?  where is the server?  is there a business address? Are they licensed? Can you call the police and Russia and tell them what?
 

[Smoovious]

I never trust an exchange that charges a percentage fee to deposit.

Which exchanges do that?

-- Smoov

[bradmurmz]

Or  btc-e stole the coins.  Im sorry this happened to you.  But what can you do?  what is the owners name?  where is the server?  is there a business address? Are they licensed? Can you call the police and Russia and tell them what?
 

With the way they are treating us... This is starting to sound more and more like a possibility!

There are many things I can do.. I can reach out to various media sources and tell them our story. I've written a press release explaining that it either has to be an SQL injection attack, or inside job stating my reasons above. If they just leave us all hanging with no responses, I think the later would appear to make the most sense.

Next I use my SEO dayjob skills to make sure that those articles come up #1 for btc-e search term so that everyone knows to be aware. I also make sure this forum and other posts come up first page for that search term as well.

Personally I would just rather have someone over there tell we what the hell is going on and why they are barely responding to someone who just lost nearly 40k (at the time) and apparently treating us all as though we don't matter. I would rather just get my coins back and let everyone here know that I had been done right by them and that they are trustworthy.

The amount of money it would cost to refund us would be made up quickly in added business they would receive from gaining the communities trust back.

[bradmurmz]

https://btc-e.com/news/131

unctional confirmation of the withdrawal through the mail.

To use a functional need to confirm email - https://btc-e.com/profile#edit/home
Activate protection - https://btc-e.com/profile#edit/security
After that, each withdrawal you will come to notice in the mail.
Today will be translated into English.

For complete safety, use different passwords on the stock exchange and mail, as well as recommend the use of e-mail gmail.com with two-factor authentication.

You're seriously still blaming us for this?

How does it matter if "after each withdrawl we get a notice in the mail" if they hack your database with an SQL injection attack and change our email directly in the database, and then seconds later login to our account and clear out the funds before support can even answer an email...

@btc-e.com, I will help you find and fix the exploit if you want. Just pay me back for what is the fault of btc-e.com and I will be more than happy to help you for free.

[bradmurmz]

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked

I think what your trying to describe is an XSS ( Cross Server Scripting ) attack that steals your cookies. I'm not sure how "your passwords all kept in browser are leaked"... that's just not possible on any modern browser I am aware of.

This XSS attack is possible if there was a bug in btc-e's site that allowed for code to be injected into the page through a GET request, but probably not the case as many of us who's accounts were hacked never clicked any links in the "trollbox".  As far as botnets and virus and java exploits, many of us also run linux which is the most secure desktop available and also chrome which does not allow java to be ran without a confirmation first!

[bradmurmz]

Has anyone here who's account was hacked had any resolution to the situation?? Has support even said more than a few sentences to you and answered any of your questions??

[moni3z]

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked

I think what your trying to describe is an XSS ( Cross Server Scripting ) attack that steals your cookies. I'm not sure how "your passwords all kept in browser are leaked"... that's just not possible on any modern browser I am aware of.

This XSS attack is possible if there was a bug in btc-e's site that allowed for code to be injected into the page through a GET request, but probably not the case as many of us who's accounts were hacked never clicked any links in the "trollbox".  As far as botnets and virus and java exploits, many of us also run linux which is the most secure desktop available and also chrome which does not allow java to be ran without a confirmation first!

java zero day. Chrome://Plugins then disable any Java plug-ins. this is different than javascript. Linux is not immune.
has anybody tested if you can create API key, then withdraw with it? probably no email confirmation.

[z12]

I didn't have java installed in my system
And i already listed all my last week's visited websites somewhere in this forum. So i'm pretty sure i didn't get hacked because of a java exploit. Just because someone had his btc stolen from mt. Gox because of java doesn't mean everyone hacked because of java

I have yet to receive an answer from btc-e support. All i got from them was a misspelled "accout locked" answer. And i still can't access my account. I learnt my lesson to never use another exchange until a safe one appears. I just wish i get my coins back

[bradmurmz]

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked

I think what your trying to describe is an XSS ( Cross Server Scripting ) attack that steals your cookies. I'm not sure how "your passwords all kept in browser are leaked"... that's just not possible on any modern browser I am aware of.

This XSS attack is possible if there was a bug in btc-e's site that allowed for code to be injected into the page through a GET request, but probably not the case as many of us who's accounts were hacked never clicked any links in the "trollbox".  As far as botnets and virus and java exploits, many of us also run linux which is the most secure desktop available and also chrome which does not allow java to be ran without a confirmation first!

java zero day. Chrome://Plugins then disable any Java plug-ins. this is different than javascript. Linux is not immune.
has anybody tested if you can create API key, then withdraw with it? probably no email confirmation.

LOL for real?? did you read my other posts?? My browser WILL NOT run java without confirming with me first. In fact I even have java disabled completely on my computer!

There is absolutely no way my computer is the culprit. Looks like to me people are still getting hacked on btc-e the issue has not been fixed. They are just going to keep getting accounts hacked and any money stolen until they fix the issue. Some hacker is having a field day just cleaning out accounts at will. If I were them I would shut down the exchange until they figure out where the injection attack is happening.

AGAIN, how is it possible with a Java (or XSS) attack for them to change my email with no confirmation from my current email? This is a server side SQL attack... nothing else makes sense.

[bradmurmz]

Just got another 5 word email from support.... Looks like they are blaming the users and are not going to help us. PM with contact info if you want help take action.

[z12]

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked

I think what your trying to describe is an XSS ( Cross Server Scripting ) attack that steals your cookies. I'm not sure how "your passwords all kept in browser are leaked"... that's just not possible on any modern browser I am aware of.

This XSS attack is possible if there was a bug in btc-e's site that allowed for code to be injected into the page through a GET request, but probably not the case as many of us who's accounts were hacked never clicked any links in the "trollbox".  As far as botnets and virus and java exploits, many of us also run linux which is the most secure desktop available and also chrome which does not allow java to be ran without a confirmation first!

java zero day. Chrome://Plugins then disable any Java plug-ins. this is different than javascript. Linux is not immune.
has anybody tested if you can create API key, then withdraw with it? probably no email confirmation.

LOL for real?? did you read my other posts?? My browser WILL NOT run java without confirming with me first. In fact I even have java disabled completely on my computer!

There is absolutely no way my computer is the culprit. Looks like to me people are still getting hacked on btc-e the issue has not been fixed. They are just going to keep getting accounts hacked and any money stolen until they fix the issue. Some hacker is having a field day just cleaning out accounts at will. If I were them I would shut down the exchange until they figure out where the injection attack is happening.

AGAIN, how is it possible with a Java (or XSS) attack for them to change my email with no confirmation from my current email? This is a server side SQL attack... nothing else makes sense.

It has come clear to me that anyone who wasn't hacked likes to make idiots of victims and call them stupid.
The hacker(s) on the other hand, is pulling a nice job by slowly removing people's funds from their account so that noone gets suspicious. (They think those who were hacked are idiots who touched a computer for their first time, remember?)
As for BTC-e, they are aware of the issue and trying what they can to fix it. Just look at how they changed their login system after a few users claimed they were hacked. However they won't admit it becausethey don't like to take a hit and refunding their members.
Their supportacts so stupid that its's not even funny. They went from IM support to email support then to a ridiculous helpdesk then changed back to e-mail support all in 3 days.. Just WTF are they doing?

Ultimately it's us the victims who have to pay for BTC-e's lack of security and this thread will be forgotten one BTC-e figures how to stop the hacks.

[bradmurmz]

I've been a programmer for over 10 years... I'm a Linux and security enthusiast. I use randomly generated passwords on every site I ever sign up for. I have Java disabled, I use Linux/chromium on my desktop, and I'm very cautious when going to any website always checking the URL first.

btc-e support has made it VERY CLEAR that they couldn't care less about the victims of their lack of security. Very sad indeed...

Every response I've received from their "support" has been less than 5 words and NEVER addresses my questions/concerns. They keep just sending me to their "news" posting telling me how to enable email notifications for withdrawals  (as if this somehow is helpful to me now after I've been taken for 200BTC ).

They are a total joke... A better exchange will emerge soon, just watch, people will move away from them in flocks once the word gets around. They could have saved their reputation by doing the community right, but they are too greedy.

[bradmurmz]

Great, now I have someone named Georgiy (caller ID) speaking Russian calling my business line. I can not understand what they are saying but I assume its related to my posts here and correspondence with btc-e support (who have been completely rude).

This is totally weird and I'm really starting to get ticked off.

[bradmurmz]

I'm no longer going to pursue a refund from btc-e as it is apparent that is not going to happen. The fact that I was completely ignored via email then called and sort of laughed at in Russian is kind of disturbing to me, so I chose to drop it at this point.

If anyone reading this would like to help restore my faith in bitcoin please feel free to donate :-/

18dtrtAUAvPvvEX3ZpqWdVeiHKLR33nRHj

[moni3z]

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked

I think what your trying to describe is an XSS ( Cross Server Scripting ) attack that steals your cookies. I'm not sure how "your passwords all kept in browser are leaked"... that's just not possible on any modern browser I am aware of.

This XSS attack is possible if there was a bug in btc-e's site that allowed for code to be injected into the page through a GET request, but probably not the case as many of us who's accounts were hacked never clicked any links in the "trollbox".  As far as botnets and virus and java exploits, many of us also run linux which is the most secure desktop available and also chrome which does not allow java to be ran without a confirmation first!

java zero day. Chrome://Plugins then disable any Java plug-ins. this is different than javascript. Linux is not immune.
has anybody tested if you can create API key, then withdraw with it? probably no email confirmation.

LOL for real?? did you read my other posts?? My browser WILL NOT run java without confirming with me first. In fact I even have java disabled completely on my computer!

There is absolutely no way my computer is the culprit. Looks like to me people are still getting hacked on btc-e the issue has not been fixed. They are just going to keep getting accounts hacked and any money stolen until they fix the issue. Some hacker is having a field day just cleaning out accounts at will. If I were them I would shut down the exchange until they figure out where the injection attack is happening.

AGAIN, how is it possible with a Java (or XSS) attack for them to change my email with no confirmation from my current email? This is a server side SQL attack... nothing else makes sense.

javascript is not the same thing as java plugins. i'm talking java runtime, not script.
why is your browser asking you to confirm if you want to run java if you've supposedly nuked it from your computer? obviously it's still there. what about flash plugins? are they gone too?

Security checklist:

- is the 'name' you picked similar to your email name? if so, and you use the trollbox, they will test @hotmail @gmail @yahoo and every other domain they can to bruteforce. they will also try to bruteforce your bitcoin-e login if your password is something stupid like 'trader321'

- are all your passwords different with high entropy? are you using the same password on BTC as your email?

- is your name unique, like NerfU1944 so hackers can crawl insecure forums looking for similar name you used elsewhere and yank that forum's db to get your password? which they can then use on exchanges to clean out your account because you didn't choose unique passwords on every website.

- do you have 2 factor ID set up with gmail and using withdraw email req on BTC-E?

- did you click any trollbox links?

- did you click any links PM'd to you?

- did you enable API?

- is your box a botnet drone?

- did you connect over Tor and a malicious exit note spoofed cert or ran sslstrip?

- is java plugins actually disabled or just javascript?


I've never had any problems on BTC-e and nobody has magically sql injected to reset my email. Clearly that is not the problem or everybody using the trollbox would have their coins drained instantly. This didn't happen. Just keep contacting support and ask wtf is going on in the meantime go through security checklist and see what you didn't do

[z12]

javascript is not the same thing as java plugins. i'm talking java runtime, not script.
why is your browser asking you to confirm if you want to run java if you've supposedly nuked it from your computer? obviously it's still there. what about flash plugins? are they gone too?

Security checklist:

- is the 'name' you picked similar to your email name? if so, and you use the trollbox, they will test @hotmail @gmail @yahoo and every other domain they can to bruteforce. they will also try to bruteforce your bitcoin-e login if your password is something stupid like 'trader321'

- are all your passwords different with high entropy? are you using the same password on BTC as your email?

- is your name unique, like NerfU1944 so hackers can crawl insecure forums looking for similar name you used elsewhere and yank that forum's db to get your password? which they can then use on exchanges to clean out your account because you didn't choose unique passwords on every website.

- do you have 2 factor ID set up with gmail and using withdraw email req on BTC-E?

- did you click any trollbox links?

- did you click any links PM'd to you?

- did you enable API?

- is your box a botnet drone?

- did you connect over Tor and a malicious exit note spoofed cert or ran sslstrip?

- is java plugins actually disabled or just javascript?


I've never had any problems on BTC-e and nobody has magically sql injected to reset my email. Clearly that is not the problem or everybody using the trollbox would have their coins drained instantly. This didn't happen. Just keep contacting support and ask wtf is going on in the meantime go through security checklist and see what you didn't do

Like i said, you think you are smart and everyone else are stupids who touched the computer checklist.

javascript is not the same thing as java plugins. i'm talking java runtime, not script.
why is your browser asking you to confirm if you want to run java if you've supposedly nuked it from your computer? obviously it's still there. what about flash plugins? are they gone too?

Just for you to know, i know the difference between java and javascript. I believe we've been told the differences of these two for enough times already.
I don't have java installed on my computer. Javascript is enabled and i don't see a reason for it to not be. It is used far too often on different websites to have it disabled. Flash plugins enabled too. But i allow them selectively using noscript plugin.

Your pathetic security checklist:

- is the 'name' you picked similar to your email name? if so, and you use the trollbox, they will test @hotmail @gmail @yahoo and every other domain they can to bruteforce. they will also try to bruteforce your bitcoin-e login if your password is something stupid like 'trader321'
They changed the login from username to email after users claimed they were hacked. So this question is irrelevant.
Brute force you say? How can someone Brute force Accounts of a website without having password hashes? Writing a script to check all passwords one by one through login page? How many tries does it take to bruteforce a 'abcdefghijk' password? 1 million? 2 million? How many tries per second can you get brute forcing through the login page? 100 try per second? 200? 5000? Lets say it takes 2 million tries in average to brute force your way in an account. How are you going to know that one particular account has an easy password to brute force it? Let's say the script gives up after 2 million tries.  How many accounts can you hack in 5 days? 10? 20? How many do you think had any coin at all in their account? How many would claim they were hacked in this forum? 10%? 30%? 

- are all your passwords different with high entropy? are you using the same password on BTC as your email?
Something like KDiQc65oH70&NkOz%SH@9*5!RRF#7P Is it unsafe? Too easy to bruteforce? Why would i use the same password when my password manager can remember them? And if you are wondering how can one hack into my password manager easily? Why would they want one's bitcoins if they can hack into password managers? Wouldn't it be easier if they steal credit cards? More importantly, How can they only target btc-e and not other important accounts like mt.gox etc. ? If they can access my Password manager wouldn't they have complete access to my wallet.dat? Why bother with btc-e when you can simply steal the wallet.dat?

- is your name unique, like NerfU1944 so hackers can crawl insecure forums looking for similar name you used elsewhere and yank that forum's db to get your password? which they can then use on exchanges to clean out your account because you didn't choose unique passwords on every website.
Jumping to conclusions eh? who said they use similiar passwords for every account they have? I for one have password manager and don't need same password anywhere. Let's say they hacker have my username. What can they do with it? How would they know my password is not safe so they can try to bruteforce it?
- do you have 2 factor ID set up with gmail and using withdraw email req on BTC-E?
Why one would want to bother with something like that when it simply doesn't work? I personally didn't use that because i heard it doesn't work. Besides, when the site is insecure enough that doesn't need confirmation to change the email (and only puts it after tens of accounts were hacked)  Why would the hacker care? They can just change the email and then confirm the email withdraw request.

- did you click any trollbox links?
Yes i did. bitcointalk.org and imgur.com links seem safe to me. And if you think i'm not smart to read a url to make sure it's not a fake think again. I already listed bitcoin related websites visited perior to my getting hacked. If you want, here it is again:

Code:

Cryptocoinexplorer.com <= i clicked this from btc-e
bitcoin.clarkmoody.com
bitcoinrush.p4o.net 
zerohedge.com
xcannabis.com
wallet.litehosting.eu
thebitcoinchannel.com
coinad.com
cryptocoincharts.info
kamikaze.litecoinland.com
litecoin-store.com
litecoingames.com
litefaucet.com
m-obmen.com
medium.com
minecraftcc.com
otn.dsparking.com
weusecoins.com
bitcointalk.org

I removed Sites i trust. like bing, my email provider etc.

- did you click any links PM'd to you?
The only pm i received was from support answering about depositing things. And no, there was no links in it.
- did you enable API?
I don't know what their API is capable of, but no.
- is your box a botnet drone?
I hardly believe so, If my machine was a zombie, Not only it wouldn't have access to internet because the only programs in my computer that are allowed to access internet are: opera.exe firefox.exe steam.exe dota.exe
The rest need my confirmation first. And i don't confirm if i don't know wtf i'm doing.
- did you connect over Tor and a malicious exit note spoofed cert or ran sslstrip?
I do use tor to access .onions But for clearnet, no. But i don't think that Tor is not secure enough to not allow such things to be done on it.
- is java plugins actually disabled or just javascript?
Like i said, I don't have java installed on my system. Javascript however is enabled but i have to allow it through noscript for websites i don't trust.

I've never had any problems on BTC-e and nobody has magically sql injected to reset my email. Clearly that is not the problem or everybody using the trollbox would have their coins drained instantly. This didn't happen. Just keep contacting support and ask wtf is going on in the meantime go through security checklist and see what you didn't do

Ofcourse you didn't. I personally admire the hackers for pulling a nice job that noone except those who were hacked distrust btc-e. Oh their support. didn't even give me a 1 word misspelled answer to my emails. Oh well..
OK good luck for you. I'd like to see your face if you ever get hacked, Although i think btc-e fixed their bugs by now

[mariusg]

*what earlier here stands was obsolote*

but the last 2 posts show good security options :thumbsup:

[moni3z]

This is just seeing if none of this affected you, because everybody comes in crying OMG SCAM and turns out they handed over their password by falling for simple security pitfalls and the exchange had nothing to do with it. I'm not saying you are "stupid" or anything, just getting you to answer questions to see if there's a problem with the exchange. Sorry for rambling message.

They changed the login from username to email after users claimed they were hacked. So this question is irrelevant.

No it's not. Not if your username in chat is 'Reeferbob99' and your email is 'Reeferbob99@gmail.com'.
Lot's of people pick the exact same username as their sign in email that's why I asked.

Brute force

Example: 'Reeferbob99' i try obvious guess combinations on btc-e until locked out and wait again or I attack that login name on a site with no lockout as long as I want automated. I had to ask, How can I know if you chose a difficult password that can't be guessed. This is elimination process to see if you were actually scammed. The first thing I'm doing as a trollbox hacker when somebody posts a unique name is looking through bitcointalk for it and reading their posts to break into less secure sites they use, and test if they reuse the same password. Almost no people vary their passwords across sites.

Wouldn't it be easier if they steal credit cards? More importantly, How can they only target btc-e and not other important accounts like mt.gox etc. ? If they can access my Password manager wouldn't they have complete access to my wallet.dat? Why bother with btc-e when you can simply steal the wallet.dat?=

Credit cards are worth $2 they're a dime a dozen on fraud forums, bitcoin = instant cash. The reason they go after BTC-e is because of the chatbox. It hands out information, and you can con people to click links. Since they are all logged into a bitcoin exchange, pretty good chance they'll have coins to steal. They can steal wand.dat (opera) where the logins are kept in the browser. Then go to town on the encryption but would be unable to break wallet.dat encryption.

Also, are you logging in with a cellphone/tablet?  If so and you use Opera, it does a MITM attack on your https encrypted traffic for 'optimization'. Maybe employee of Opera saw some bitcoin login passwords fly past the logs. It just takes one employee with access to information he/she shouldn't have and motivation to steal untraceable, pseudoanon bitcoins. I know the mobile browser (chrome) that came built into Gingerbread was never updated again. Lot's of phones are running old telco builds that do not do security updates.

Besides, when the site is insecure enough that doesn't need confirmation to change the email (and only puts it after tens of accounts were hacked)  Why would the hacker care? They can just change the email and then confirm the email withdraw request.

It's always emailed a change when I've done it, unless mail servers were down. Then I couldn't withdraw anything. It could be possible for somebody to get in your account, and enable the api themselves, then withdraw without email confirmation.

Click trollbox links? Yes i did. bitcointalk.org and imgur.com links seem safe to me.

Except you can host .TIFF files on imgur. There's .TIFF browser exploits for safari galore. I don't know about Opera or FF.

A trollbox hacker uploaded a Jar/gif hybrid that when viewed automatically ran as a .jar file and infected whoever viewed it if running certain versions of Windows. The image passes all validity checks because of top headers are a pic, then below is all java code waiting to be executed when displayed in the browser. There was a guy St0rmbringer dropping exploit links one after another once when I was watching the trollbox. (Links now all disabled finally.. but you can still drop links without http:// and get people to cut+paste them)

A trollbox hacker hellbent on coins would also go attack some low hanging fruit, like a bitcoin charts site that wasn't secure and set it up to host exploits then spam the link in chat. If cryptome could get owned by Black Hole Exploit Kit, any site can.

Ignore all links in the trollbox, or open them using lynx browser. Remember these aren't run of the mill script kiddies they're seasoned antichat.ru script kiddies and the bounty is untraceable bitcoins.

I hardly believe so, If my machine was a zombie, Not only it wouldn't have access to internet because the only programs in my computer that are allowed to access internet are: opera.exe firefox.exe steam.exe dota.exe
The rest need my confirmation first. And i don't confirm if i don't know wtf i'm doing

Granted, however botnets they peddle on antichat.ru use jpeg as a covert channel for command and control. You open browser and it would report to the commanding bot server via a covert outbound HTTP Port 80 connection and receive commands within a mailicious JPG EXIF data image. They also peddle linkedin status command and control using linkedin API to break through corporate firewall.

I personally admire the hackers for pulling a nice job that noone except those who were hacked distrust btc-e. Oh their support. didn't even give me a 1 word misspelled answer to my emails. Oh well..
OK good luck for you. I'd like to see your face if you ever get hacked, Although i think btc-e fixed their bugs by now

That sucks you got 1 word answer after losing all your coins, but there was such a total shitfest of dropped exploit links in the trollbox for like a month that everybody was being robbed. It was open season to see who on antichat and xakepy.cc could come up with the most stolen coins dumping links.

tl;dr 60% chance something is wrong with btc-e and you got scammed. 40% chance you got owned by the trollbox simply by posting in it revealing user login name you use elsewhere, or clicking links.

[bradmurmz]

Again I will say this...

I use a unique randomly generated password containing uppercase lowercase and numbers for every different site I use...

I'm using chromium on linux. I do not have Flash or Java enabled. Java is not even installed on my system.

Support at btc-e initially told me that my email had been changed to a random address @mailinator.com and that my funds had been withdrawn.  You say btc-e has always had email confirmation for email addresses changes. If this is the case, how were they able to change my email without me ever getting a confirmation??

I initially had a suspicion that an employee at btc-e may have been the culprit, but I no longer believe that was the case or am going to make that accusation. Seems to me they don't have many employees anyway, and anyone involved over there probably has a claim in the 'company' so they would not want to have something like this happen publicly.

The hacker stole my money, and I'm not getting it back. At current value it's about 20k dollars, so it does hurt. But btc-e has made it clear that they are not going to do anything about it, and that they don't appreciate my continued pursuit of the matter...

Therefore there is nothing I can do, and I am moving on.

[laughingbear]

Again I will say this...

I use a unique randomly generated password containing uppercase lowercase and numbers for every different site I use...

I'm using chromium on linux. I do not have Flash or Java enabled. Java is not even installed on my system.

Support at btc-e initially told me that my email had been changed to a random address @mailinator.com and that my funds had been withdrawn.  You say btc-e has always had email confirmation for email addresses changes. If this is the case, how were they able to change my email without me ever getting a confirmation??

I initially had a suspicion that an employee at btc-e may have been the culprit, but I no longer believe that was the case or am going to make that accusation. Seems to me they don't have many employees anyway, and anyone involved over there probably has a claim in the 'company' so they would not want to have something like this happen publicly.

The hacker stole my money, and I'm not getting it back. At current value it's about 20k dollars, so it does hurt. But btc-e has made it clear that they are not going to do anything about it, and that they don't appreciate my continued pursuit of the matter...

Therefore there is nothing I can do, and I am moving on.

THAT is why you shouldn't use an exchange, esp with that sort of volume, when you dont know a single thing about the owner, not even his name.  People here demand escrow for a $20 item, and SCREAM scammer if anyone hesitates, but look at all these people blindly throwing money at btc-e.  Im not trying to make you feel worse here, and it sucks that this happened to you.  All of you should know if you use this exchange, and your money disappears, there will be nothing that you can do. You will end up just like this guy.

[moni3z]

90% of exchanges we don't really know who the owners are, and even if we do they often disappear or go scam. CryptoXchange, Bitcoinica, Bitfloor massive coin theft, Bitcoin-24 is up in the air, WBX exchange lost everything, the Polish exchange that terminated their ec2 instance and deleted wallet.dat, there's probably a few I forgot. Point is none of the above people got their coins back.

The only exchange I generally trust with large amounts is cavirtex.ca because they've been solid, and owner is well known and accessible. There's been many thefts on MtGox and they didn't get any help either. All we can do in the cryptoanarchy world of decentralized currency and shady exchanges is enable 2 factor ID on everything and hope for the best, unless you use localbitcoins and are standing in front of the trader with cash in hand.

#bitcoin-otc also has some good scam preventions, like recommending to only transfer a few coins at a time to avoid being scammed for everything all at once.

[bradmurmz]

THAT is why you shouldn't use an exchange, esp with that sort of volume, when you dont know a single thing about the owner, not even his name.  People here demand escrow for a $20 item, and SCREAM scammer if anyone hesitates, but look at all these people blindly throwing money at btc-e.  Im not trying to make you feel worse here, and it sucks that this happened to you.  All of you should know if you use this exchange, and your money disappears, there will be nothing that you can do. You will end up just like this guy.

Your 100% right... Lesson learned. An expensive one to have to learn, but I will not make that mistake again. I was actively trading with that amount and had been doing it for a few months. At first I would withdraw a lot of the money every time I was done, but then I started getting lazy and also didn't want to pay the fees. It did happen while I was logged it, but regardless I was trusting my money on a site I really knew nothing about. Guess trading crytocurrencies in that volume is not a smart thing to do at this point in time. We will just have to wait until more reputable ones appear who focus more on security and who will be willing to help if something does go wrong.

[phr0stbyt3]

@brad,
I got into BTC-e chat the other day and got harassed by who I found out later was a chat moderator.
They're not interested in restoring our funds as it was clearly "not their fault" so it must be our fault.
However they sure have beefed up the security on their site in the last week. Hmmm.
The last email I sent to BTC-e support requesting a refund got a reply back full of IP addresses that had accessed my account.

[z12]

... some text here...

Ok, you win. I won't get my coins back anyway

[bradmurmz]

@brad,
I got into BTC-e chat the other day and got harassed by who I found out later was a chat moderator.
They're not interested in restoring our funds as it was clearly "not their fault" so it must be our fault.
However they sure have beefed up the security on their site in the last week. Hmmm.
The last email I sent to BTC-e support requesting a refund got a reply back full of IP addresses that had accessed my account.

This is craziness... How did they harass you?

It's probably less than one days profit to refund us all... What a shame.

[jimmy3dita]

Seems you were lucky to have any useful reply, by now I'm still stuck at the "pass recovery+use email to login" loop.

It's clear that someone logged into my account and changed password+reference email locking me out, I just want a confirmation for that and for me it's over.

The only thing I will do is delete my account (if they ever give it back) and stop using Btc-e forever.

[bitbadger]

I too am currently attemping to withdraw my funds from BTCe.

I only signed up for an account with them a few weeks back but I've already formed a bad impression of their service.

As said by others here, you get cryptic one or two word replies from their support in bad English which are hard to decipher the meaning of.

Their web interface is threadbare and does not inspire confidence.

Nor does the fact that they are based in Russia inspire confidence. I don't think I'm being prejudiced here, but I do not trust businesses that are based in Russia.

Ive already having bad experiences right now with an exchange in Western Europe and their incompetence.

God knows what a Bitcoin exchange in Russia will manage to cook up by comparison.

So I'm out.

[jargoman]

I found this piece of javascript in an html file that mysteriously appeared on my computer after clicking a trollbox link. I still have my coins but do believe someone hacked or attempted to hack me. It seems that multiple exploits are being used. Can someone confirm my suspicion that this is malicious javascript?

Code:

 <script id="swift_action_queue">
          (

	function(){
		function f(a){	

			a=a || window.event;

			if(!a)return;

			!a.target&&a.srcElement&&(a.target=a.srcElement);

			if(!j(a))return;

			if(!document.addEventListener){
				var b={};
				for(var c in a)b[c]=a[c];

				a=b
			}

			a.preventDefault=a.stopPropagation=a.stopImmediatePropagation=function(){};

			d.push(a);

			return!1
		}

		function g($){
			i();

			for(var b=0,c;c=d[b];b++){
				var e=$(c.target);
				if(c.type=="click"&&c.target.tagName.toLowerCase()=="a"	){	
					var f=$.data(	e.get(0),"events"),g=f&&f.click,j=!c.target.hostname.match(a)||!c.target.href.match(/#$/);

					if(!g&&j){
						window.location=c.target.href;
						continue
					}
				}

				e.trigger(c)
			}

			window.swiftActionQueue.wasFlushed=!0
		}


		function i(){	
			e&&clearTimeout(e);
			for( var a=0; a<c.length; a++) document["on"+c[a]]=null

		}


		function j(c){

			var d=c.target.tagName.toLowerCase();

			if(d=="label") if(c.target.getAttribute("for")){ var e=document.getElementById(c.target.getAttribute("for"));


			if(e.getAttribute("type")=="checkbox")return!1
			}else for(var f=0;f<c.target.childNodes.length;f++)if((c.target.childNodes[f].tagName||"").toLowerCase()=="input"&&c.target.childNodes[f].getAttribute
("type")=="checkbox")return!1;	if(d=="textarea"||d=="input"&&c.target.getAttribute("type")=="text"||c.target.getAttribute("contenteditable")=="true")if(c.type.match(b))return!1;return c.metaKey?!1:c.clientX&&c.shiftKey&&d=="a"?!1:c.target&&c.target.hostname&&!
c.target.hostname.match(a)?!1:!0}var a=/^([^\.]+\.)*twitter.com$/,b=/^key/,c=["click","keydown","keypress","keyup"],d=[],e=null;for(var k=0;k<c.length;k++)document["on"+c[k]]=f;setTimeout(i,1e4);window.swiftActionQueue={flush:g,wasFlushed:!1}})();
        </script>
        <script id="composition_state">
          (function(){function a(a){a.target.setAttribute("data-in-composition","true")}function b(a){a.target.removeAttribute("data-in-composition")}if(document.addEventListener){document.addEventListener("compositionstart",a,!1);document.addEventListener("compositionend"
,b,!1)}})();
        </script>

[bradmurmz]

Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.

[jargoman]

Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.

That code was found on my computer. It may be created by twitter but I believe someone is using it as a xss attack. The line b=/^key/,c=["click","keydown","keypress","keyup"]  suggests it's a key logger (maybe I am wrong). I'm thinking the attack goes like this. attacker posts a malicious link, it attampts to launch a java 0day to install a backdoor trojan. If that doesn't succeed it drops a phishing page outside the javascript sandbox probably by using the java 0day. Then the victim may then be tricked into clicking the locally dropped file which would run out side the sandbox. Then the attacker would ddos btce or use some other exploit to cause the user to become logged out. When the user quickly logs back in the attacker has the javascript running in another tab listening to windowing events outside the sand box and successfully retrieving their password.

Either a, there are multiple attackers using different methods, or there is a modern toolkit that is at work here.

[ryantc]

for the record, just lost about 30 TRC from my account,

so change all coins to BTC and transfer to mtgox (safer? maybe?)

never store a penny in that exchange wallet, ever again.

[Unclegogi]

This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.

[crazy_rabbit]

This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.

Did you check the alt-forum thread about the TRC fork? Maybe your TRC wasn't really ever "real" in the first place. You might have bought fake TRC.

[Pingonious]

I was hacked as well on 4/17. Has anyone had any luck with BTC-e support on the issue?

[ZephramC]

First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e.

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.

[Pingonious]

First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e.

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.

I have been waiting a few days for a new reply from them.

[joesmoe2012]

Just enabled email confirm on withdraws thanks for te heads up guys.

[tigerfree]

i just lost 3.3 btc FUCK BTC-e there db is leaked

[crazy_rabbit]

i just lost 3.3 btc FUCK BTC-e there db is leaked

just now?

[joesmoe2012]

This hap

i just lost 3.3 btc FUCK BTC-e there db is leaked

More info please. You posted this very vague sentence in a couple of BTC-e threads, please substantiate a bit.

[mr_random]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

[phr0stbyt3]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

[mr_random]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

[phr0stbyt3]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

Withdraw on email, in this case, is a moot point. The attacker was able to compromise my account, change my password and then change the email address on the account as demonstrated by not being able to reset my password until talking to support 24 hours later.

Withdraw on email does nothing if you can just change the email address.

[TimJBenham]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

[TsuyokuNaritai]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?

[TimJBenham]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?

That would suck. What if you don't have access to the old email address? (changed ISP, job, whatever).

[TsuyokuNaritai]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?

That would suck. What if you don't have access to the old email address? (changed ISP, job, whatever).

Presumably you change it before your email changes. If not, I guess you email BTC-E support and wait a week for a 1-word response.

But if all it does is email you when the email is changed, I don't see how that's any solution to anything, unless like Mt Gox it then waits a day before it will allow you to move coins out.

[phr0stbyt3]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Should, but wasnt. No email notifying me of the email address being changed on my account.

[ZephramC]

First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e.

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.

So I recieved a reply: Try to clean Your browser cache
And it worked.

[carpetbagger]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Should, but wasnt. No email notifying me of the email address being changed on my account.

Yeah I tried on several occasions to set that stuff up - it never worked for me.

More mass thefts happening on BTC-e:

http://www.reddit.com/r/Bitcoin/comments/1ct644/help_me_investigate_this_link_do_not_go_to_unless/

[Professor James Moriarty]

 This topic made me realize I should not open up a btc-e account

[mr_random]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

Withdraw on email, in this case, is a moot point. The attacker was able to compromise my account, change my password and then change the email address on the account as demonstrated by not being able to reset my password until talking to support 24 hours later.

Withdraw on email does nothing if you can just change the email address.

If 'withdraw only with request on email' is enabled the hacker needs access to your email address to change it. That is my whole point. It's more likely to me you never had it enabled because when it's enabled on my account I can only change the email address by confirming the change by email first, why would your account be any different?

[DPoS]

 This topic made me realize I should not open up a btc-e account

aRise Chinkun RiSe!!!!

[z12]

Update: So after 20 days of waiting for an answer, I finally regained my access to my account.
Lucky me, all my coins are still there (All my money was in ltc).
I Changed my password and withdrew the coins to a cold storage for the moment till a safe exchange appears.

[Shiba]

hi, i made a bitcoin deposit of 7.9btc in to my account, but after 129 confirmations on blockchain, it seems my deposit is still stuck at 0 confirmation on btc-e. it over 24hours now.

blockchain transaction- https://blockchain.info/tx/89a51ea735bca437e014e4536974eb442f57900d3fe1d6fbc13d70bc9ca29ced

[Welsh]

Note taken: Don't open a account & don't deposit any Bitcoins there, EVER.

[captainfuture]

btc-e says invalid email. cant log in.

but i can change my passoword. still cant log in though.

did i get hacked?

opend support ticket, but no answer till yet.

--edit--
i did get an email with ip adresses.
wtf?

no one word. only ip-adresses.
still cant log in with my email.

--edit-- #2

get an email with a link to set a new passowrd.
not a single word. just a link.
i think they wanna drive me crazy.

[captainfuture]

still cant log in

[captainfuture]

after 2 days i got message from support i shall try to log in. they closed my ticket.


??

i still cannot log in.

why they close my ticket, if they dont get answer if i can log in ?

had to get a new ticket. and now i am sure i will get autoanswers the next days again.

[captainfuture]

i got a link to change my password.
the same autoanswers again and again.

i am so upset. i wrote them that i changed password already but i cannot log in and they send me a link to change password.

WTF ??


Anyone can help me or say me what i shall do ?

[ychunlau]

My account got hacked 2 days ago, and all btc is gone(~4btc).
When the hacker logged into my account, no email notification is sent to my email. And no email notification is sent to me when the hacker withdrew my money.
Opened ticket on 18th July and not getting any reply.
I was really angry and ran into the police station to report police.
Got no reply on 19th July whole day so I open another ticket again just now and now i got banned from my account now. Able to login but showing "You have been banned".....

I cannot understand why the hacker can login to my account without sending notification email to me and can withdrew my btc without email request to my email account.

[joesmoe2012]

My account got hacked 2 days ago, and all btc is gone(~4btc).
When the hacker logged into my account, no email notification is sent to my email. And no email notification is sent to me when the hacker withdrew my money.
Opened ticket on 18th July and not getting any reply.
I was really angry and ran into the police station to report police.
Got no reply on 19th July whole day so I open another ticket again just now and now i got banned from my account now. Able to login but showing "You have been banned".....

I cannot understand why the hacker can login to my account without sending notification email to me and can withdrew my btc without email request to my email account.

Was there any resolution to this?

[bnjmnkent]

... bump ...

[joesmoe2012]

I've still been using btc-e without issue for months now. Not sure what happened but the guy never replied and was new.

[phr0stbyt3]

I never got any resolution at all. Only a broken English reply from BTC-e with IP logs for me to do exactly nothing with. Definitely not equipped to handle mainstream traffic and would not recommend. I don't think they even formally acknowledged any sort of account breaches. I filed police reports and all sorts of other formalities with the proper authorities.

[bnjmnkent]

I never got any resolution at all. Only a broken English reply from BTC-e with IP logs for me to do exactly nothing with. Definitely not equipped to handle mainstream traffic and would not recommend. I don't think they even formally acknowledged any sort of account breaches. I filed police reports and all sorts of other formalities with the proper authorities.

Working knowledge of Russian seems to be a prerequisite for successful use of this exchange...
Might I ask how LE investigations are coming along, please? If I had to guess btc-e would be the next exchange to be closed.