[4+ EH] Slush Pool (slushpool.com); Overt AsicBoost; World First Mining Pool

[Quantus]

So the site was hacked but any loss will be be covered but when the site is back up we need to consider the strength of our E-mail passwords because the hacker got those? 

[GernMiester]

expect to be phished.. juts like gox

[lukasbradley]

Please let me know if I can help with anything.

[gbx]

but intruder has emails and information but would have to hack each email individually? hopefully to much effort anything we need to do to resecure any thing comprimised

Don't use the same password on bitcoin.cz as you do on any other accounts.  Password re-use is probably the biggest offense when it comes to problems between the keyboard and chair.  If you are using the same or similar passwords, change them now, especially on accounts connected to this potential leak.  It's just a good practice.  Chances are, nothing will happen.  But why chance it?

If you don't already, use KeePass, LastPass, OnePass or some password safe that programmatically generates complex passwords and use that password for your bitcoin.cz connected email account.  That is about all you can do.

Change your password when Slush brings up the website too..  Just to be safe....

[nybbler905]

expect to be phished.. juts like gox

most phishing for me is check the full headers to see if it's legit, go to the web site directly ( not from any mail link ) and log in that way and see if the mail really came from them..... when fake, there are a TON of reporting sites ( depending on what scam is being pulled )
BTW I am Canadian and after looking up some Doctor Who info on yahoo.co.uk decided to open an email account and... now i get tons of fake UK bank ' your account is locked until you click and filll in you are informations ' ( miss spellings USUALY ARE in the fake ones ) spams.

Hope this helps and gives a laugh or too to spite the current situation... BTW Slush, gettin more hits from getwork than Stratum, don't really care if it counts or not since i'm CPU mining and don't usualy get over 2000 uBTC for less than 4 hits.  Just thought you should look in to it.

[gbx]

And we found another block!!!  YAY!!!

[gbx]

Also, the times on my mining proxy have dropped dramatically with AWS.  I'm seeing 42-62ms times where before it was 170ms and up...

[stanke]

apparently, if you don't hold it you don't own it is true for servers as well

That's the point. Next time I'll be the only person who'll have a physical access to the machine. No f***ing web consoles, email recovery features and no 3rd party administrators next time. I'm really tired by these situations and incompetent people who are harming my own reputation.

I would suggest to setup the servers as a servers with sensitive data. That means even if the attacker or whoever will get the physical server he can only destroy it but he cannot steal the data. All my servers which needs high security or have some sensitive data have only the system not encrypted. The data partitions are on different logical lvolumes which are crypted. that means even in single user mode no harm is done. Slush you are doing good job with pool and btc related but you should consider to build servers the way it cannot be compromised. ;-)

[phelix]

What about the user database?  Was it compromised?  I'd hate to see bitcoins sent to the wrong address.

I have a database snapshot taken before bad guys overtook the database. So there's no reason to think payout addresses have been modified. Any change of wallet on pool profile requires email confirmation by account owner so I think we're on safe side here.

Unfortunately the user database can be considered as compromised, so the attacker knows user's emails :-(.

How were the passwords hashed?

[nybbler905]

What about the user database?  Was it compromised?  I'd hate to see bitcoins sent to the wrong address.

I have a database snapshot taken before bad guys overtook the database. So there's no reason to think payout addresses have been modified. Any change of wallet on pool profile requires email confirmation by account owner so I think we're on safe side here.

Unfortunately the user database can be considered as compromised, so the attacker knows user's emails :-(.

How were the passwords hashed?

never answer that!!!

[edit]
forgot to include the links lol

http://hackaday.com/2012/12/06/25-gpus-brute-force-348-billion-hashes-per-second-to-crack-your-passwords/
http://hackaday.com/2011/06/01/gpu-password-cracking-made-easy/

[Drizzle]

Its just nice to see the guy in charge actively posting with users. Ive only been mining for a few weeks but other pools don't know what they are missing.

I agree. Slush is doing good work, and his work is appreciated.

As someone pretty new to mining however, this just highlights to me how volatile this field is. After having had the little I mind stolen at bitlc the last time I tried mining, and now the DDoS and hacking here, and couple that with all the other warnings on these forum, I feel that bitcoins aren't for the weak of heart.

Plus it doesn't help that I used a password at Slush's which I use elsewhere (because it looked like the site wouldn't accept one with a comma, so I reverted to something simple), so now I'm worried about that.

[zamazama]

Very sorry to hear about this Slush. I hope other pool admins take note, this is now a billion dollar industry and DDOS, hacking, fraud will increase exponentially too as coins are very hard to trace.

I have continued mining for the pool, but would also appreciate an ETA on various aspects.

Website beign Up so earnings can be viewed.
Commencement of payouts.

Even as a rough guide, at least it will stop me and others from continually bugging you while you're busy.

[anti]

Very sorry to hear about this Slush. I hope other pool admins take note, this is now a billion dollar industry and DDOS, hacking, fraud will increase exponentially too as coins are very hard to trace.

I have continued mining for the pool, but would also appreciate an ETA on various aspects.

Website beign Up so earnings can be viewed.
Commencement of payouts.

Even as a rough guide, at least it will stop me and others from continually bugging you while you're busy.

I was just about to ask the same:

The bitcoins I have earned on this pool should have been confimed and payed out by now, because last time I checked (about 2 hours before the break-in) it was about 30 confirmations away from being confirmed with respect to my payout minimum. However, no payouts have occurred as of now. I guess this is also because the pool was hacked? When can we expect the payouts to continue? I mean the BTC prices are quite good at the moment and I'd very like to sell before they fall again. Please fix this soon! Thanks!

[HellDiverUK]

I got two Questions.
 Are my Bitcoins safe and Do I need to change pools?

Way to not bother reading the thread, brainiac. 

[thewebguy0]

I wish butterfly labs was as open with people as Slush and others in the bitcoin community are with what's going on.  I asked for a refund 2 days ago on part of my orders and I haven't heard anything back.  (Surprise surprise?)

Another site that fails to update people with truth, open-ness and honesty is bitinstant.  I no longer trade through them because of the problems they have been having.  They promise and do not deliver.

Slush is the man and I will continue to mine with the pool.  Thank you for the updates and transparency.  We all get more careful and diligent due to times like these and I personally appreciate your updates and contribution and dedication to the bitcoin community.

Cheers  

[HellDiverUK]

Slush is the man and I will continue to mine with the pool.  Thank you for the updates and transparency.  We all get more careful and diligent due to times like these and I personally appreciate your updates and contribution and dedication to the bitcoin community.

This.  I'll be mining with slush until I stop mining bitcoins. 

Any chance of running a Litecoin pool, too, slush?  That'd make me a very happy camper.

[Drizzle]

Any chance of running a Litecoin pool, too, slush?  That'd make me a very happy camper.

I want to get into litecoins, so that would be cool.

[thewebguy0]

Any chance of running a Litecoin pool, too, slush?  That'd make me a very happy camper.

I want to get into litecoins, so that would be cool.

I would agree with these statements as well.

[skang]

Thanks for all the support!

If you do decide to implement ltc please do it like D7 pool.
His UI and ease of use is the best of all the mining sites!

[DryMartini]

Everyone mining with Slush, restart your mining clients and make sure the stratum domain resolves to an address in the Amazon cloud. It's 54.214.10.135 when I check here.
Before I restarted mine it still used the old compromised server which is still running. I'm not sure they will be able to use the bitcoins mined there but I hate the thought of it.