Blockchain.info Unauthorized Withdraw

[elrodvoss]

Twice in two weeks I have had coins removed from my account.  First time I could understand cause my ema may have been comprimized but I changed all my passwords and added the ip address logging to blockchain and did two key on google.

Less then hour ago I get notification via txt that another withdraw was done.
Again only one coin but still that's $130.

I log in and check log and there is no isp entry for anytime for withdraw. Only my entries on phone and computer.

Is therr something else that I should know?  My only other options would be go back to old wallet or restrict the ip address for blockchaiblockchain.

Again I changed my password.  It uses a combo of cap and lowercase letters numbers and symbols.   

I have no virus on home computer. 

Its the no log that really irks me.  How can a withdraw be made without an entry made.?

[SgtSpike]

Did you create a new wallet after the first hack?  The attacker still has access to the private keys of all the addresses from your old wallet, so you would want to immediately discontinue using that wallet, even if you did "resecure" it.

[DeathAndTaxes]

Please tell me after the first compromise you threw away that entire wallet and started fresh?

If not the attacker didn't need to hack anything.  After the first attempt he had a copy of your wallet.  He just waited for you to put funds into it and stole it.  Once attacker has the wallet = has the private keys he doesn't even need access to the website anymore.  If you put more coins in there, once the attacker notices them he will transfer them out.  100 years from now he could still steal coins.

If your wallet is compromised, it is compromised.  Period.  You should assume all private keys connected to that wallet are totally and completely compromised.  Move funds out of the wallet (if any).  Destroy all copies and start fresh.

[elrodvoss]

Sad that it cost me $200 to learn that lesson. 

Didn't relize/remember they would have access due to private keys.

Guess ill have to get new wallet and start fresh.

Such a kick in the balls though.  From what I learned they got over 500 coins in transactionsto the account that it was transfered too.

Grrr. 

Thanks anyways.  Lesson learned hard way.

Fyi parden any bad typing.  On with phone at work. 

[BTC Books]

Sad that it cost me $200 to learn that lesson. 

Didn't relize/remember they would have access due to private keys.

Guess ill have to get new wallet and start fresh.

Such a kick in the balls though.  From what I learned they got over 500 coins in transactionsto the account that it was transfered too.

Grrr. 

Thanks anyways.  Lesson learned hard way.

Fyi parden any bad typing.  On with phone at work. 

So you're saying your address is in the same transaction as this one?

https://bitcointalk.org/index.php?topic=187822.0

[elrodvoss]

This is the address that is listed in my transactions as to where my coins were sent to the second time:
1JKJdYSZNrWSca1b9ajejdmjuqooE7TLFr


Details of transaction:
You Sent
1.00779078 BTC ($ 142.60)

Value at time of transaction $ 146.94
Hash
89f8223bc1d9140889496dea8...
Sent Time
2013-04-25 22:22:48 (+26 minutes to confirm)
Confirmations
8 Confirmations
Double Spend
No Double Spend Detected
Transaction Fee
0.0155 BTC


Not sure if this will show but here is the detailed info of that address:
https://blockchain.info/address/1JKJdYSZNrWSca1b9ajejdmjuqooE7TLFr
So if im reading that right, that person just made 542 coins in less then 5 mins from several dozen account.



My wallet is 1J71jWZqvoK6n9TLvuQjy3kgxctx9QbpQ8, and is at zero coins and in 5 hours will be defunct.

[silvereagle]

That's the same address mine went to.

[franky1]

silvereagle

elrodvoss

have both of you contacted PIUK (the guy behind blockchain.info) he might be able to help you out more
https://bitcointalk.org/index.php?action=profile;u=17928

also is there any other places that you BOTH imported your private keys into.

maybe you both downloaded a rogue program that keylogged you both and decided today was the day to take some funds.
as the transaction reveals that someone somewhere has both of your private keys in one wallet. so check with each other if you both use any other mobile app wallets or other things, even check where you both downloaded your miners or qt clients from.

i think silvereagle said in another thread he had his email hacked and had his blockchain compromised ages ago before this loss, has elrodvoss had previous losses?

seems strange 2 "noobs" have had losses due to this same attack and no key/long established member's have claimed losses.(yet)

[Logik]

Blockchain.info really needs to start forcing 2 factor on all new accounts. Otherwise this will keep happening.

In addition it would be helpful if they provided information like in DeathAndTaxes' post to users after having their passwords stolen.

[silvereagle]

silvereagle

elrodvoss

have both of you contacted PIUK (the guy behind blockchain.info) he might be able to help you out more
https://bitcointalk.org/index.php?action=profile;u=17928

also is there any other places that you BOTH imported your private keys into.

maybe you both downloaded a rogue program that keylogged you both and decided today was the day to take some funds.
as the transaction reveals that someone somewhere has both of your private keys in one wallet. so check with each other if you both use any other mobile app wallets or other things, even check where you both downloaded your miners or qt clients from.

i think silvereagle said in another thread he had his email hacked and had his blockchain compromised ages ago before this loss, has elrodvoss had previous losses?

seems strange 2 "noobs" have had losses due to this same attack and no key/long established member's have claimed losses.(yet)

Just interacted with PIUK on the other thread we've been discussing this in - the one I started.  Ideally just looking to determine which apps I can trust again.

[adamstgBit]

elrodvoss

please answer these question too.

Unfortunately I think more users are likely to be affected by this transaction.

Any users who own an address used in the above transaction (https://blockchain.info/tx/89f8223bc1d9140889496dea843df1854f17aee35b8ac5006ec1efee2ba5bd80) please could you answer the following questions:

• Do you have a bitcoin app on your android phone?
• Do you have a blockchain.info wallet holding the address in question?
• If you have a blockchain wallet do you use a public alias the same as your bitcointalk, bitcoin-otc or irc username?
• Do you have accounts on one of the following sites: BTC-e, bitcoin-central or mining.bitcoin.cz?
• Do you reuse the same wallet password on different websites (specifically the above sites)?
• Do you read the BTC-e chat box?
• Does your browser have Java enabled? http://isjavaenabled.com

Maybe we can figure out what's going on,
I suspect  BTC-e has some flaw that allows hackers to run some custom JS...
have you ever use  BTC-e?

[elrodvoss]

My email was possiblely hacked. I had coins removed from my account last week (1 coin) and that's when I changed all my passowords for everything.  Bank,  google, credit cards, etc

I have main computer and laptop.  Both with antivirus and malware protection.  Nothing new installed other then dls for linux distros for new rig.

Have several apps on  gs3, but nothing new.

I have no idea how I could have been a victom esp in last 2-3 weeks. 

I do use slush pool and know that has been attacked over last 3 weeks.  But it was stated that everything was secure.  Pw changed there and wallet address checked as well.

Still on phone but may be more detailed when I get home. 

Only other thing was I been looking for new ways to cash coins since mt gox changed,  but that was after first issue a week ago.  So doubt that was the issue.

On phone I use mt gox mobile and blockchain app.

Use two rigs with main computer running slush's proxy program for straium.  That been running for 2 months.

Been using blockchain for 6-8months without issue.

[blacksmithtm]

if you are using their phone app dont. it makes you vulnerable. especially if you have a rooted/modded phone.

[elrodvoss]

if you are using their phone app dont. it makes you vulnerable. especially if you have a rooted phone.

Which?
Blockchains app
or
Mt. Gox mobile site?

And phone it not rooted.

[blacksmithtm]

its just bad practice giving your phone access to your main hoard of bitcoin. blockchain.info wallet stores password in plaintext afaik. its not a problem because the app is sandboxed so no other apps should have access to it (unless the phone is rooted or modded). however the phone is just another way for a keylogger or malware. its a potential backdoor if you give it acces to your main hoard.

[elrodvoss]

silvereagle

elrodvoss

have both of you contacted PIUK (the guy behind blockchain.info) he might be able to help you out more
https://bitcointalk.org/index.php?action=profile;u=17928

also is there any other places that you BOTH imported your private keys into.

maybe you both downloaded a rogue program that keylogged you both and decided today was the day to take some funds.
as the transaction reveals that someone somewhere has both of your private keys in one wallet. so check with each other if you both use any other mobile app wallets or other things, even check where you both downloaded your miners or qt clients from.

i think silvereagle said in another thread he had his email hacked and had his blockchain compromised ages ago before this loss, has elrodvoss had previous losses?

seems strange 2 "noobs" have had losses due to this same attack and no key/long established member's have claimed losses.(yet)

Ive placed a ticket with blockchain.info site.  No word from them yet other then confirmation email.

I have never imported any other keys or wallets into blockchain.  I was using blockchain since I could easily transfer funds from blockchain -> mt. gox -> bitinstant.  

As mentioned before I was hit week ago and just though someone got into my email.  Though that just changing all my passwords would do trick.  Shows that it didn't sadly.

[simonk83]

Its the no log that really irks me.  How can a withdraw be made without an entry made.?

Agreed, this is the main worry in all this I think...

[Terk]

Its the no log that really irks me.  How can a withdraw be made without an entry made.?

Agreed, this is the main worry in all this I think...

Blockchain.info is only a client. It doesn't store bitcoins itself, it only stores credentials needed to send bitcoins from your addresses (that is private keys for your bitcoin addresses). If his computer/phone has been compromised, these credentials might be logged/copied during one of his legitimate logins to blockchain.info and sent to the attacker. The attacker could then use these stolen credentials with any other bitcoin client (like Bitcoin-Qt, Armory, Multibit, etc) to send bitcoins - and that's why blockchain.info didn't have any suspicious logins.

[franky1]

no log means they didnt log into your acount to send the funds.

it means they got your private key previously. and then added it to their own client/wallet and decided today was the day to empty you out.

so if elrodvoss only had the private key in blockchain.info and not a electrum or qt client. then obviously someone at some point got into his and silvereagles blockchain.info account at an earlier date and copied the private keys.. and just waited a few days/week before sweeping them.

[elrodvoss]

Unfortunately I think more users are likely to be affected by this transaction.

Any users who own an address used in the above transaction (https://blockchain.info/tx/89f8223bc1d9140889496dea843df1854f17aee35b8ac5006ec1efee2ba5bd80) please could you answer the following questions:

• A:  Do you have a bitcoin app on your android phone?
• B:  Do you have a blockchain.info wallet holding the address in question?
• C:  If you have a blockchain wallet do you use a public alias the same as your bitcointalk, bitcoin-otc or irc username?
• D:  Do you have accounts on one of the following sites: BTC-e, bitcoin-central or mining.bitcoin.cz?
• E:  Do you reuse the same wallet password on different websites (specifically the above sites)?
• F:  Do you read the BTC-e chat box?
• G:  Does your browser have Java enabled? http://isjavaenabled.com

Maybe we can figure out what's going on,
I suspect  BTC-e has some flaw that allows hackers to run some custom JS...
have you ever use  BTC-e?

A:  I have several bitcoin apps.  Nothing new in last several months.  Blockchain, bitcoin calculator, miner status.
B:  I posted above the wallet that was used today.   Unsure of that was same one only cause I havent looked and compared at the moment.
C:  Same name on blockchain and bitcointalk
D:  I mine at bitcoin.cz (slush)
E:  Sadly same password, though it was a strong 10+ character using capital and lowercase letters, numbers, and symbols
F:   Do not read the BTC-e chat box (dont even know what it is)
G:  Java is enabled on this computer.

For myself this only started in the last 14 days.

4/13 was withdraw, but though it was from email hack. 
Wallet address was:  1Nr8BbTNTYutpdHKYzDJpAUcuo2wToL1C2
That only had 5.2 Coins removed from various accounts.

The one from today was over 500 coins in their attack, though my loss was only 1.


I have ordered a "rasberry pi" rig that I will be using as my solo bitcoin interface.  So that should take care of most issues.  Ill have to come up with unique passwords for rest of my bitcoin accounts.  Of course only fear is that with multiple passwords I will forget/lose them and writing them down defeats the purpose on some level.

I could go back to a two wallet system.  But if they get into my slush account or blockchain they could see the address (public not private).