PSA: Nitrogen Account w/ 2FA Compromised and Emptied

[FeelsBadManNS1]

Hi,

I am a reasonably well known member of the high stakes gambling community but have chosen to keep this post anonymous at this time. I have been playing on nitrogensports.eu (mostly poker, but also the occasional sports bet) for over 2 years and have generally been pleased with their site. I enabled 2FA on the account (via Google Authenticator) very early on and have not changed it in at least a year (most likely two). On nitrogen, they require an OTP for logging in as well as requesting withdrawals. My email address is not connected to my account at all and I use a unique username/password to access the site that is not shown to other players and not used on other sites.

I woke up one day last week to find that my balance was empty and 2 successful withdrawals had been made. I immediately contacted support via their on-site ticket system and began inspecting all of my other accounts to try to figure out what had happened. After several days of fruitless back and forth with support and a full investigation of my own devices and accounts, I still can’t seem to figure out what happened and how my account was compromised. I was hoping someone who perhaps knows a bit more about 2FA and Google Authenticator could point me in the right direction.

Here are the facts as I understand them:

1. My 2FA Device (iPhone) was always and still is in my possession
2. None of my gmail accounts were accessed from any devices or locations that are not mine
3. My icloud account was not accessed from any devices/locations that are not mine and has 2FA of its own
4. Nitrogen was not affected by the CloudFlare vulnerability
5. There is no evidence that either one of my home computers were compromised
6. My iPhone is not backed up anywhere locally
7. None of my other 2FA enabled accounts were touched in any way. No failed logins, nothing. This includes other bitcoin exchanges/wallets.

Nitrogen conducted some type of investigation relating to the matter but did not return any useful results. What am I missing? How did this person get access to all 3 credentials (username, pass, and 2FA secret)?

[1715297781]

1715297781

[1715297781]

1715297781

[FeelsBadManNS1]

This was also posted on reddit if you'd like to view further discussion: https://www.reddit.com/r/Bitcoin/comments/5yhinf/psa_nitrogen_account_w_2fa_compromised_and_emptied/

[Dogedigital]

My first thought was phishing, but you mentioned that your username is private and not public.

What has been Nitrogen's response? Was 2fa removed manually on their side?

Surely, they can look up the past history including log-in sessions and location.

[FeelsBadManNS1]

2FA was not removed at any point from my account (as far as I can tell and support has indicated). My normal 2FA credentials were used the day following the compromise and worked correctly. Nitrogen's response was that upon completion of their investigation "We've concluded no illegitimate access to the account has occurred as a result of a breach of Nitrogen Sports security."

They refused to provide pretty much any further information. I made multiple requests for the IP(s) that accessed my account during the time period that were denied. In desperation I even requested simply that they confirm the IP(s) that accessed my account was NOT the usual login location and they also refused to assist me with that inquiry. They blamed it all on some type of user privacy policies for "my own" protection.

[ajaxmoor]

Could it be related to the recent Cloudfare compromise ?

Would like to hear their statement as well. If the hacker access the account through your details, they would certainly have the details of the IP and everything through which the request was made.

[FeelsBadManNS1]

This is their formal response from Risk Management, after conducting their investigation. I followed up requesting that they at least confirm the login and withdrawal request was made from somewhere different than my usual location and they refused to do so. I've blocked out my player number and the team members name.

"Nitrogen Sports Support at X:XXam on March X, 2017
Hi XXXXXX,

My name is Xxxx and I’m writing you on behalf of our Risk Management department in regards to the recent report of an unauthorised withdrawal. Firstly let me start by saying thank you for your patience while our investigation was conducted.

This was the first time we’ve received a report of a Nitrogen user being compromised while having 2FA enabled on the account, so we wanted to use every available resource while conducting the investigation to ensure the security of our user’s accounts.

After a thorough review of your account, login details, betting activity, poker activity, withdraw/deposit history, and otherwise, we’ve concluded that no illegitimate access to the account has occurred as a result of a breach of Nitrogen Sports security.

To address your concerns in regards to the Cloudflare being a possible point of compromise, I'd like to be clear in saying that Nitrogensports.eu was not affected by Cloudbleed to any extent, as indicated to us directly from Cloudflare themselves.

Nitrogen did recommend all users to update their passwords, however, this was done in an effort to protect our users who might have used the same password for another site which was compromised. In the event we had been affected we would have been able to detect unusual login activity very early on, which our investigation showed is also not the case.

Lastly, I’d like to provide a little insight as to why we do not offer IP’s upon user request. This has to do with a multitude of security policies we’ve set in place, but is mainly a safeguard in the event a user’s account ever is compromised. In the event this were to occur, a user may not only be able to view the sensitive information stored in our on-site tickets but then use that information how ever he likes to socially engineer his way into other secure services a user may have.

Following the conclusion of our investigation, We remain confident in our sites use of 2FA to keep users accounts and funds secure within our servers. We are sympathetic to your recent misfortune and wish you the best of luck in the retrieval of your funds.

Sincerely,

Xxxxxxxx
Risk Management
Nitrogensports.eu"

[RichDaniel]

2FA was not removed at any point from my account (as far as I can tell and support has indicated). My normal 2FA credentials were used the day following the compromise and worked correctly. Nitrogen's response was that upon completion of their investigation "We've concluded no illegitimate access to the account has occurred as a result of a breach of Nitrogen Sports security."

They refused to provide pretty much any further information. I made multiple requests for the IP(s) that accessed my account during the time period that were denied. In desperation I even requested simply that they confirm the IP(s) that accessed my account was NOT the usual login location and they also refused to assist me with that inquiry. They blamed it all on some type of user privacy policies for "my own" protection.

Nitrogen should be responsible for this hack because the hacker's IP is not the ones which you mostly use, Nitrogen has the mannual review on every withdrawal transactions, IMO they should add a new rule: withdrawals can be only made from mostly used IP.

[NitrogenSports]

Hi there,

I am sorry to hear about your situation and recent experiences on our site. As previously mentioned, our company has a policy to not release any of the personal information regarding one of our players. This policy helps to ensure that our staff does not divulge any personal or confidential information which could be used against our players (ie Phishing scams). We also have a similar policy when it comes to making statements like this on public forums regarding player disputes.

Without going into too much detail, I will explain that our team does perform manual reviews before processing any withdrawal to check for unusual activity on the account before processing. During the initial review of this account, our team did not produce any significant red flags regarding the account's login activity or play. In a subsequent investigation, our security team also received direct confirmation from Cloudflare that Nitrogen's data was not included in the Cloudbleed HTTPS traffic leak, as suggested by the player.

Please know that we take these types of reports very seriously and our support and security teams are continually monitoring for any usual log-in activity or potential compromises with site security. Two-factor authentication and manual withdraw reivews are extra layers of security offered by Nitrogen to help protect our players. However, it is ultimately up to the individual to ensure the security of their accounts and log-in credentials as stated in our rules regarding account security - https://nitrogensports.eu/n/rules

I understand your skepticism and frustration with regards to the situation. Should you have more questions about your account or the investigation, please feel free to reach out to me off-thread via marketing@nitrogensports.eu and I'd be able to help address them to the best of my abilities.

Thanks,
Calvin

[rytyr]

Don't know if I would trust a site that allows the highest account security to be broken into so easily.

[ralle14]

Don't know if I would trust a site that allows the highest account security to be broken into so easily.

No one is forcing you to trust them anyways I wouldn't say nitrogensports has one of the highest account security because they don't ask for 2fa code when making withdrawals. There's many cases like this on steam if you search about it. I'm still curious how did OP get hacked with 2fa the only way I can think of OP could get hacked is by someone having access to his pc(to bypass the 2fa) but it's unlikely since he already mentioned that his computer wasn't compromised. Nitrogen should add another layer of security based from what I said earlier to avoid cases like this in the future.

[swogerino]

If the hacker had access to your Gmail account he could have logged in and delete the post that says New sign in in Chrome. I see this as the only possibility where the hacker to have had a chance and trying it. I cannot imagine how else someone can break in any site with 2FA enabled from the phone. Really strange story this one.

[tokeweed]

Is it even possible to bypass 2FA if a site has been hacked?  I could see a few things going on here. 

1. OP is lying.
2. Nitrogen is hacked.
3. An inside job.
4. Buggy code on Nitrogen.

Do you mind telling us how much you lost and can you show us the transactions on the blockchain?

[lite]

Op sorry for your loss. would like to know if you changed your credentials recently?(after cloudbleed) 

If the hacker had access to your Gmail account he could have logged in and delete the post that says New sign in in Chrome. I see this as the only possibility where the hacker to have had a chance and trying it. I cannot imagine how else someone can break in any site with 2FA enabled from the phone. Really strange story this one.

Google will probably block access if someone tried to login from different location than usuals. i don't understand how it would have affected in hacking nitrogen account?

i think nitrogen should add some extra layer of security, like email confirmation for withdrawal/login.

[ajaxmoor]

Don't know if I would trust a site that allows the highest account security to be broken into so easily.

I wouldn't jump to conclusions too soon like that. Could also be op's fault in having his security compromised in some way. I would only jump to that conclusion maybe, if there are multiple accounts that get compromised.

[swogerino]

Op sorry for your loss. would like to know if you changed your credentials recently?(after cloudbleed) 

If the hacker had access to your Gmail account he could have logged in and delete the post that says New sign in in Chrome. I see this as the only possibility where the hacker to have had a chance and trying it. I cannot imagine how else someone can break in any site with 2FA enabled from the phone. Really strange story this one.

Google will probably block access if someone tried to login from different location than usuals. i don't understand how it would have affected in hacking nitrogen account?

i think nitrogen should add some extra layer of security, like email confirmation for withdrawal/login.

Google doesn't block access and that is a problem. I have seen US gmail accounts being hacked and last location of this gmail account being accessed to be Vietnam. This is the only leaking point where OP might have done something wrong but still strange case.

[tokeweed]

Tbh I think it's impossible to bypass 2FA remotely.  So can Nitrogen employees bypass it locally?  I think the answer to that is definitely a no too.  I also think this is a first if FeelsBadMan's 2FA was hacked.  This case could be bigger than we think.  Computer security experts could benefit from learning in this hack.