PRIMEDICE COMPROMISED [RESOLVED]

[Wendigo]

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

[Joel_Jantsen]

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

[Wendigo]

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

[Joel_Jantsen]

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Makes sense but if you read the thread from page 1,OP is not the only one who faced the problems.At the same point of time,other users claimed that their wallets have been hacked too.OP say's it's an inside job but no jumping to conclusions without Stunnah's side of the story.

[Stunna]

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Indeed, there's no reason for us to believe this was a fault within our security. If I had to guess, weak password that got cracked or some sort of script/bot. Plenty of users hold much larger balances on primedice without issue (including myself).  

As always I'm happy to investigate this further for you if you provide me as much information as possible beyond just your username via email.

[convertekk]

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

This is a very interesting point that you have raised. Firstly, they shouldn't have let two users login from different locations, especially when a player is actively playing on one IP. Isn't that a big security loop in itself ?

Secondly, no withdrawal window popped up on my account when the hacker was trying to steal my money.

Stunna, I'm sure you can reproduce this above case and please be elegant in accepting the blame for your loopholes than blaming me. I don't have any reason to cry about 55$ when I myself have wagered 100BTC on your site.

What more information do you need other than my username and email ? wouldn't you have all the information about my bets and transactions on your database ? you want my physical address and dob or what ?

[convertekk]

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Indeed, there's no reason for us to believe this was a fault within our security. If I had to guess, weak password that got cracked or some sort of script/bot. Plenty of users hold much larger balances on primedice without issue (including myself).  

As always I'm happy to investigate this further for you if you provide me as much information as possible beyond just your username via email.

how can a weak password be cracked Stunna ? you have a captcha on your website right ? User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

[minifrij]

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

[RHavar]

BTW what was your username and password (after you changed it)? As you used a unique password to the site, so it shouldn't matter saying it here. It'll likely help primedice as they can check it against the hashed version in the database, and allow people here help you out by checking it against some combo-list sites to make sure it hasn't been leaked somewhere else

[convertekk]

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

[convertekk]

BTW what was your username and password (after you changed it)? As you used a unique password to the site, so it shouldn't matter saying it here. It'll likely help primedice as they can check it against the hashed version in the database, and allow people here help you out by checking it against some combo-list sites to make sure it hasn't been leaked somewhere else

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

[Stunna]

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

You've re-used that username on a handful of different websites including dodgier sites like blackhat forums. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right?

Since it is unique though, you should feel comfortable posting it here.

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week.

[convertekk]

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

You've re-used that username on a handful of different websites including dodgier sites like blackhatworld. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week.

I'm not even sure which username you are referring to. I have multiple accounts with PD. The one that got robbed is definitely not registered with blackhatworld. Please read your emails to get my username and I've PMed you my password. I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

[minifrij]

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords.

What would you suggest they did? Lock your account?

Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole.

Because it's not the website's responsibility to make sure the user has good password security. I trust that PD does all it can to secure user's passwords, although it cannot do everything.
It also isn't a loophole, it's logic. If your password is 'password123' people will guess it easily. That's not a problem with PrimeDice, it's a problem with you.

Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

And what about if a user has a dynamic IP? Should they just get locked out of their own account?

I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

If you're telling the truth and it is a completely unique password it won't matter.

[convertekk]

and can I know where exactly did you encourage your users to set a strong password ? Nowhere in the signup flow as I recall.

[Stunna]

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

You've re-used that username on a handful of different websites including dodgier sites like blackhatworld. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week.

I'm not even sure which username you are referring to. I have multiple accounts with PD. The one that got robbed is definitely not registered with blackhatworld. Please read your emails to get my username and I've PMed you my password. I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

If it's a 100% unique password no longer in play what's the issue with sharing it?

[RHavar]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

[convertekk]

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords.

What would you suggest they did? Lock your account?

Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole.

Because it's not the website's responsibility to make sure the user has good password security. I trust that PD does all it can to secure user's passwords, although it cannot do everything.
It also isn't a loophole, it's logic. If your password is 'password123' people will guess it easily. That's not a problem with PrimeDice, it's a problem with you.

Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

And what about if a user has a dynamic IP? Should they just get locked out of their own account?

I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

If you're telling the truth and it is a completely unique password it won't matter.

You are asking the right questions. Just to the wrong person. You tell me, what should your bank do when you enter an atm pin wrongly for more than 3 times ?

Well if someone is as dumb as setting his password as password123, he deserves to be hacked but unfortunately that's not my password.

May be Stunna can answer how a user can login without a password if he is using dynamic IP. I have no idea how anybody can do it.

A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways.

[Stunna]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

hah good point.

If you post your password convertekk, I'll refund you for the loss. Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option.

A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways.

So.. this isn't a unique password? okay.

[convertekk]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.