Bitcoin Forum
November 08, 2024, 05:15:26 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 [7] 8 »  All
  Print  
Author Topic: PRIMEDICE COMPROMISED [RESOLVED]  (Read 4204 times)
convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 06:02:02 PM
 #121




Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


and this coming from the owner of bustabit! WOW!! speechless! can anybody feel more naked around these websites ?

Just to be very clear, I was only trying to crack their bustabit password (based on information I could find online), I obviously wasn't attempting to crack their other accounts based on the password used at bustabit.  And that risk is now 0, because bustabit doesn't even let users pick their own password.

what do you mean by logging their usernames/passwords then ? Atleast that's a good feature that you have, setting the password for user. Hope you'd take the blame when a user's account gets hacked on your website considering you have set the password for them.

convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 06:04:15 PM
 #122




Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


and this coming from the owner of bustabit! WOW!! speechless! can anybody feel more naked around these websites ?

Just to be very clear, I was only trying to crack their bustabit password (based on information I could find online), I obviously wasn't attempting to crack their other accounts based on the password used at bustabit.  And that risk is now 0, because bustabit doesn't even let users pick their own password.

Wasn't there a bug where you were able to modify the value of the password field and choose your own password? It happened a while ago so I assumed it's patched now but eh

And @op I wouldn't be worried if Ryan knew my bank accounts details lol. It'd probably trust him more than it's trust me

You never know. Ryan's getting robbed by Dudax these days. He might have other ideas with your bank account details. lol.

robert05210
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
January 04, 2017, 06:06:27 PM
 #123




Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


and this coming from the owner of bustabit! WOW!! speechless! can anybody feel more naked around these websites ?

Just to be very clear, I was only trying to crack their bustabit password (based on information I could find online), I obviously wasn't attempting to crack their other accounts based on the password used at bustabit.  And that risk is now 0, because bustabit doesn't even let users pick their own password.

Wasn't there a bug where you were able to modify the value of the password field and choose your own password? It happened a while ago so I assumed it's patched now but eh

And @op I wouldn't be worried if Ryan knew my bank accounts details lol. It'd probably trust him more than it's trust me

You never know. Ryan's getting robbed by Dudax these days. He might have other ideas with your bank account details. lol.

Truth be told I don't even have a bank account :*

if I could take back the day I deposited I sure as hell wish I bloody could. Can't believe that people like HufflePuff cheat the system and make millions innocently while people like us lose barely a fraction of how much he stole and we get told to suck it up. But I guess it sucks for Stunna as well :/

Stunna will you be on in 8 hours? I'd really like to converse with you about this more deeply.
RHavar
Legendary
*
Offline Offline

Activity: 1463
Merit: 1886



View Profile
January 04, 2017, 06:20:36 PM
 #124

It might be a good time to close the thread. There doesn't seem to be a single person who used good security practices who has had any problem. Hopefully though it is a useful lesson for everyone to always use a password manager, both for PrimeDice and every other site. I do not believe there are many people on earth who are capable of reliably remembering unique secure passwords for dozens of different websites.

Something like lastpass is free and works in pretty much every platform. There's really no excuse to not use something like it. Obviously sites like PrimeDice will try do their best to protect users even if their password is weak/compromised, but people need to take responsibility to have a secure password and play from a malware-free device (even with 2FA, a compromised device can still screw you)

It's a pain in the ass setting up a password manager, but it really is time well spent. Like for instance, like a month ago 340M accounts details from AdultFriendFinder seem to have been leaked. It was really nice to not have to worry about about the security of any of my other accounts.


Atleast that's a good feature that you have, setting the password for user. Hope you'd take the blame when a user's account gets hacked on your website considering you have set the password for them.

Well it's still users responsibility to keep their password safe. If you share it with someone (intentionally or accidentally) then it's your own problem. But if a password was brute forced (which has never even closed to have happened, I would know as all attempts are logged and monitored) then I would happily refund any loses.


Wasn't there a bug where you were able to modify the value of the password field and choose your own password? It happened a while ago so I assumed it's patched now but eh

Actually it's intentional. The secure password is generated client-side, which allows users to manipulate it (if they're technical and have a good reason to do so). However, even so
I still verify it zxcvbn to make sure it's reasonably secure.

Check out gamblingsitefinder.com for a decent list/rankings of crypto casinos. Note: I have no affiliation or interest in it, and don't even agree with all the rankings ... but it's the only uncorrupted review site I'm aware of.
convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 06:29:35 PM
 #125

close the thread ? how ? No investigation, no refund. I was forced to enter my password here to prove a point and now he disappears!!

lowbander80
Legendary
*
Offline Offline

Activity: 1036
Merit: 1000


View Profile
January 04, 2017, 06:40:42 PM
 #126

I own the site gamblercity.bid I may blog the rights and wrongs this weekend.Or other people can on the site
mOgliE
Legendary
*
Offline Offline

Activity: 1344
Merit: 1251



View Profile
January 04, 2017, 06:43:27 PM
 #127

close the thread ? how ? No investigation, no refund. I was forced to enter my password here to prove a point and now he disappears!!

Well... What do you expect? You didn't use 2FA even if it was available so...
I didn't know they put this feature online. But if you didn't use all security tools at your disposal you can't really blame the site for it.

convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 06:55:09 PM
 #128

I own the site gamblercity.bid I may blog the rights and wrongs this weekend.Or other people can on the site

I'm considering couple of other sites but I'd love to do that there too.

convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 06:56:19 PM
 #129

close the thread ? how ? No investigation, no refund. I was forced to enter my password here to prove a point and now he disappears!!

Well... What do you expect? You didn't use 2FA even if it was available so...
I didn't know they put this feature online. But if you didn't use all security tools at your disposal you can't really blame the site for it.

what percentage of people use 2FA ? all the others who don't use 2FA are insecure too ? The site should enforce 2FA too in that case. What do they do instead ? They let people make deposits even without having a password. Agreed that you want a zero-friction onboarding of users but you have to be highly secure to have something like that. The whole point of having a password less/email less sign up is to decrease overhead. How do they expect users to signup for 2FA when they don't even expect them to set a password ?

mOgliE
Legendary
*
Offline Offline

Activity: 1344
Merit: 1251



View Profile
January 04, 2017, 07:06:10 PM
 #130

close the thread ? how ? No investigation, no refund. I was forced to enter my password here to prove a point and now he disappears!!

Well... What do you expect? You didn't use 2FA even if it was available so...
I didn't know they put this feature online. But if you didn't use all security tools at your disposal you can't really blame the site for it.

what percentage of people use 2FA ? all the others who don't use 2FA are insecure too ? The site should enforce 2FA too in that case. What do they do instead ? They let people make deposits even without having a password. Agreed that you want a zero-friction onboarding of users but you have to be highly secure to have something like that. The whole point of having a password less/email less sign up is to decrease overhead. How do they expect users to signup for 2FA when they don't even expect them to set a password ?

Dude it's not that...

It's just that you can't blame them for getting your coins stolen if you haven't used all the security sets they provide!
How could they enforce 2FA use? I mean that wouldn't be logical! They're not babysitters here to protect you, they give you a way to gamble and they gove you a way to do it in a safe environment. If you're too lazy to use the security tools they provide... Well you can't really argue with them afterwards. What's your argument? "You should have obliged me to be less lazy and secure my account!"?

convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 07:11:29 PM
 #131

close the thread ? how ? No investigation, no refund. I was forced to enter my password here to prove a point and now he disappears!!

Well... What do you expect? You didn't use 2FA even if it was available so...
I didn't know they put this feature online. But if you didn't use all security tools at your disposal you can't really blame the site for it.

what percentage of people use 2FA ? all the others who don't use 2FA are insecure too ? The site should enforce 2FA too in that case. What do they do instead ? They let people make deposits even without having a password. Agreed that you want a zero-friction onboarding of users but you have to be highly secure to have something like that. The whole point of having a password less/email less sign up is to decrease overhead. How do they expect users to signup for 2FA when they don't even expect them to set a password ?

Dude it's not that...

It's just that you can't blame them for getting your coins stolen if you haven't used all the security sets they provide!
How could they enforce 2FA use? I mean that wouldn't be logical! They're not babysitters here to protect you, they give you a way to gamble and they gove you a way to do it in a safe environment. If you're too lazy to use the security tools they provide... Well you can't really argue with them afterwards. What's your argument? "You should have obliged me to be less lazy and secure my account!"?

No offense but I'm having difficulty in understanding your arguments. Instead of providing 2FA, why didn't they secure themselves from bruteforce ? Isn't that the right way to go about it when you know more than 90% of your users are not going to use 2FA anyways. You yourself lost some coins there, I'm not sure why you are taking their side though. It kind of beats the whole point of getting them to fix their security.

lowbander80
Legendary
*
Offline Offline

Activity: 1036
Merit: 1000


View Profile
January 04, 2017, 07:19:49 PM
Last edit: January 04, 2017, 08:13:38 PM by lowbander80
 #132

Put simply: the lack of  pattern monitoring on Primedice servers was this the main reason this attack took place.All servers I have were money or crypto are involved have pattern monitoring installed this would have triggered a lock down on the account
convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 07:29:23 PM
 #133

Thanks to you Stunna, My account is now stolen. I'm not sure how to feel about it.  Undecided

StarBruck
Member
**
Offline Offline

Activity: 117
Merit: 10


View Profile
January 04, 2017, 07:57:41 PM
 #134

What's going on here?
lowbander80
Legendary
*
Offline Offline

Activity: 1036
Merit: 1000


View Profile
January 04, 2017, 08:14:54 PM
 #135

Just someone complaining their account was compromised and funds stolen
StarBruck
Member
**
Offline Offline

Activity: 117
Merit: 10


View Profile
January 04, 2017, 08:57:48 PM
 #136

For some reason I'm not surprised.
devans
Sr. Member
****
Offline Offline

Activity: 528
Merit: 368


View Profile
January 04, 2017, 09:03:59 PM
 #137

Thanks to you Stunna, My account is now stolen. I'm not sure how to feel about it.  Undecided

How did that happen?
convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 09:05:47 PM
 #138

Thanks to you Stunna, My account is now stolen. I'm not sure how to feel about it.  Undecided

How did that happen?

He forced me to share the password on this thread.

devans
Sr. Member
****
Offline Offline

Activity: 528
Merit: 368


View Profile
January 04, 2017, 09:17:50 PM
 #139

He forced me to share the password on this thread.

BTW what was your username and password (after you changed it)? (…)
(…) If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. 

(emphasis mine in both quotes)
convertekk (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10

Javascript developer, Available for work


View Profile WWW
January 04, 2017, 09:27:51 PM
 #140

feel free to post it here (after changing it on primedice) and close this discussion.

He forced me to share the password on this thread.

:sigh:

Do we get the edit history on that comment please ? I'm pretty sure the "after changing it on primedice" was added later. Just like how he changed the words "blatant lies" to "simply untrue"

Pages: « 1 2 3 4 5 6 [7] 8 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!