Bitcoin Forum
November 10, 2024, 12:42:22 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: ripple account hacked  (Read 2782 times)
BRules (OP)
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250


View Profile
May 06, 2013, 01:18:32 AM
 #1

About a month ago I received 30000 ripples from the giveaway thread, did some tests and never touched my account again. But today I entered my account again and I saw that 11 days ago someone hacked into my account and transfered all my ripples to another addresses. I just want to know if this happened to someone else (security breach in ripple server) or was just my account that was hacked (8 characters password).

Chuck
Member
**
Offline Offline

Activity: 92
Merit: 10



View Profile
May 06, 2013, 01:20:22 AM
 #2

About a month ago I received 30000 ripples from the giveaway thread, did some tests and never touched my account again. But today I entered my account again and I saw that 11 days ago someone hacked into my account and transfered all my ripples to another addresses. I just want to know if this happened to someone else (security breach in ripple server) or was just my account that was hacked (8 characters password).

Did you use the same name (BRules) as your ripple wallet's name?

BTC: 1CKytBzLeA1QcFM33qgi9YWPq1ax3XEJ84
markm
Legendary
*
Offline Offline

Activity: 3010
Merit: 1121



View Profile WWW
May 06, 2013, 01:21:00 AM
 #3

Pass phrase, isn't it, for Ripple?

So, an eight character phrase?

Hmm...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
BRules (OP)
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250


View Profile
May 06, 2013, 01:38:53 AM
 #4

Did you use the same name (BRules) as your ripple wallet's name?
yes

Pass phrase, isn't it, for Ripple?

So, an eight character phrase?

Hmm...

-MarkM-


I know this is weak, but as it was a online password I think it will take a while to crack this password

Trading
Legendary
*
Offline Offline

Activity: 1455
Merit: 1033


Nothing like healthy scepticism and hard evidence


View Profile
May 06, 2013, 01:39:20 AM
 #5

Search for the ripple address to where the XRPs were send on the forum and on Google, you might find the nick of the user on the giveaway thread or other place. To get a new ripple address you need to open another account and he might have been too lazy to do that.  If you find nothing, check if the money is still on his account, by entering his address at https://ripple.com/graph/. If the money was sent to another account, try to search that one (but he could have sell them to an innocent person).
If you find the username, try to get him a scammer tag and to get his email and IP from the mods and google the email and nickname, you might end up finding his social network account and private information or another email linked to the previous one that leads to the social account. Then, use your imagination: write him and say if he doesn't give back the XRPs you will email his family and friends about what he done; complain to any available authority with evidence, etc..

The Rock Trading Exchange forges its order books with bots, uses them to scam customers and is trying to appropriate 35000 euro from a forum member https://bitcointalk.org/index.php?topic=4975753.0
markm
Legendary
*
Offline Offline

Activity: 3010
Merit: 1121



View Profile WWW
May 06, 2013, 01:46:06 AM
 #6

I know this is weak, but as it was a online password I think it will take a while to crack this password

I didn't think it *was* "an online password".

I thought what it is is a private key, like in bitcoin, and used for things like encrypting your data blob that you can store at a blob storage facility. Or, if not the private key, then, like a brainwallet, a seed used to deterministically generate one or more private keys.

Thus, I had always thought that hackers could spend as much computer power as they wish, for as long as they wish, cracking it, just like any private key controlling any bitcoin address or any brainwallet phrase used to deterministically generate a deterministic wallet.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
BRules (OP)
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250


View Profile
May 06, 2013, 02:38:28 AM
 #7

Search for the ripple address to where the XRPs were send on the forum and on Google, you might find the nick of the user on the giveaway thread or other place. To get a new ripple address you need to open another account and he might have been too lazy to do that.  If you find nothing, check if the money is still on his account, by entering his address at https://ripple.com/graph/. If the money was sent to another account, try to search that one (but he could have sell them to an innocent person).
If you find the username, try to get him a scammer tag and to get his email and IP from the mods and google the email and nickname, you might end up finding his social network account and private information or another email linked to the previous one that leads to the social account. Then, use your imagination: write him and say if he doesn't give back the XRPs you will email his family and friends about what he done; complain to any available authority with evidence, etc..

none of the addresses showed something. I'm not too worried about my ripples, I only wanna know the scenario that my accout was compromised. I don't think it was a trojan in my computer as my bitcoins are still in my address, and a 8 characters password is kinda hard to crack on a online service.

BRules (OP)
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250


View Profile
May 06, 2013, 04:56:43 AM
 #8

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

odolvlobo
Legendary
*
Offline Offline

Activity: 4494
Merit: 3403



View Profile
May 06, 2013, 05:06:53 AM
 #9

I was about to write, "what fool uses a password that would be in that list?", but then I discovered that 2 of my many passwords are in the list.

Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
loudpete
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
May 06, 2013, 05:28:13 AM
 #10

So what were you using for passwords?  now that you wont be using them anymore...

Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?
scintill
Sr. Member
****
Offline Offline

Activity: 448
Merit: 254


View Profile WWW
May 06, 2013, 05:43:47 AM
 #11

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

Well, you've learned your lesson the hard way, sorry about that.  For what it's worth, from what I understand there are supposed to eventually be alternate clients that could be kept fully local like Bitcoin is (source).  The current lack of diversification and openness is a common complaint against Ripple as it is today though.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
scintill
Sr. Member
****
Offline Offline

Activity: 448
Merit: 254


View Profile WWW
May 06, 2013, 05:47:57 AM
Last edit: June 02, 2013, 07:17:13 AM by scintill
 #12

So what were you using for passwords?  now that you wont be using them anymore...

Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?

No, the Ripple webclient wallet is decrypted client-side in the user's browser.  So they just grabbed the encrypted wallet and cracked it locally.  Blockchain.info wallets works the same way, so they can also be cracked like this.

It's possible they grabbed a bunch of wallets around the same time that maybe should have tripped an alarm on the Ripple wallet server, but we don't know, and there's nothing Ripple can really do to perfectly prevent this.  The user has to pick a good passphrase and ideally also a non-obvious wallet ID as well.


Edit: Most of this is wrong, as I realized after seeing this thread.  The Ripple wallet is indeed decrypted locally, but the blob vault (wallet server) requires a hash of username+password (not just a plaintext username as I had assumed), so in order to try 62k passwords on BRules' wallet they would indeed have to make that many requests to the server.  Sorry for spreading false information. Sad

I did just try blockchain.info MyWallet, and, for a simple (no extra security enabled) wallet, I could decrypt with only data obtained from https://blockchain.info/wallet/<guid>?format=json&resend_code=false and a local decrypt.  If you enable more security I think you would be safer than this though.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
Vladimir
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1001


-


View Profile
May 06, 2013, 06:01:39 AM
 #13

Sorry to hear about this.

This is still not too late to start using best practices as relevant to passwords and aimed for a regular internet user. I am not even talking about really sensitive stuff here.

1. Never use the same password in more than one place.
2. Use passwords managers like keepass and lastpass.
3. Encrypt all or most sensitive parts of your hard drives using software such as truecrypt etc...
4. Use very strong and long pass phrases (6-10 words plus some padding at least) that you can remember for few important passwords like for keepass, truecrypt, lastpass, your main email, bitcoin wallets.
5. Use auto generated passwords for everything else (keepass,lastpass will help ya)
6. If you can remember a password it is a bad password. With a few exceptions as in 4. Here is an example of a password that is good: nbJbvrTXgWZDSYl15jT6jgnk
7. And finally:

- Doctor, how do I make sure that I do not get pregnant?
- Drink lots of milk.
- ... Huh before or after?
- Instead of.

Think about the above when you download stuff from the net and go to bad neighborhoods.

Sorry that I cannot help you with this any more than by typing this stuff again.




 

-
Badabing
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
May 06, 2013, 07:19:34 AM
 #14

Do you use the same username here with your ripple account? If you use the same,  62k passwords to try doesn't take an hour IMO. Do you share your secret key?
BBQKorv
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250



View Profile
May 06, 2013, 09:02:14 AM
 #15

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

Hopefully you learned a lesson in here, how is your bitcoin wallets encryption key?
BRules (OP)
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250


View Profile
May 06, 2013, 02:47:55 PM
 #16

Do you use the same username here with your ripple account? If you use the same,  62k passwords to try doesn't take an hour IMO. Do you share your secret key?

no, I didn't share anything about my ripples account.


Hopefully you learned a lesson in here, how is your bitcoin wallets encryption key?

The password I chose for my ripple account is the password I use for all "I don't care" stuff. it was my password here before I understand the potencial of the bitcoin and now I use a more secure password in the forum.

about my wallet password, as it has a substantial amount in bitcoins, it is a 16 characters unique password involving lower and upper case letters, numbers and symbols. I'm not that crazy to use a weak password to protect a considerable amount of money.


Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!