Bitcoin Forum
December 14, 2017, 03:38:01 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: Cryptopia hacked !?  (Read 2536 times)
Geraldo
Sr. Member
****
Offline Offline

Activity: 280


⭐⭐⭐⭐⭐


View Profile
September 09, 2017, 12:07:26 AM
 #41

One of my friend (known from bitcoinralk)also lost his bitcoin from cryptopia. but how its possible!!? every time when i tried to log into my cryptopia account it asked me a code that come into my email.after interning the code there i can access my cryptopia account.so is it possible to hack my account?
I am also thinking about 2FA , I would set it asap.

I think this is recently added.. or you had 2FA via email.. It never asked me to check my email to log into.. This is possible if a database leak has occured, which is the most likely scenario, even though they will try to deny it.

   
▄████▄       
██████       
▀████▀       
▀██████      ▄▄▄▄▄▄▄▄▄▄▄▄   
▄▄█████  ▄██████████████████▄
▄██████▀██  ████████████████████
▄█████▀    ▀  ████████████████████
▄█████▀         ███ ████████████ ███
██████▀          ███ ████████████ ███
███████           ███ ████████████ ███

▄████▄                  ███████   
██████                 ▄██████     
▀████▀                ▄█████▀     
▄▄▄▄▄▄▄▄▄▄▄▄      ▄    ▄█████▀       
▄██████████████████▄  ██▄ █████▀         
████████████████████  ██████▀▀           
████████████████████  ██████▄             
███ ████████████ ███                     
███ ████████████ ███                     
███ ████████████ ███                       
  [    |    ████████████████████████
████████████████████████
███            ▀████████
███  ███████  ▄  ▀██████
███           ██▄  ▀████
███  ███████  ████▄  ███
███                  ███
███  ██████████████  ███
███                  ███
███  ██████████████  ███
███                  ███
████████████████████████
████████████████████████
  ] 
FACEBOOK  )   (  TWITTER  )
  SUBSCRIBE NOW!!! 
INSTAGRAM  )  (  LINKEDIN  )
1513222681
Hero Member
*
Offline Offline

Posts: 1513222681

View Profile Personal Message (Offline)

Ignore
1513222681
Reply with quote  #2

1513222681
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
drm
Hero Member
*****
Offline Offline

Activity: 761



View Profile
September 09, 2017, 12:59:01 AM
 #42

One of my friend (known from bitcoinralk)also lost his bitcoin from cryptopia. but how its possible!!? every time when i tried to log into my cryptopia account it asked me a code that come into my email.after interning the code there i can access my cryptopia account.so is it possible to hack my account?
I am also thinking about 2FA , I would set it asap.

I think this is recently added.. or you had 2FA via email.. It never asked me to check my email to log into.. This is possible if a database leak has occured, which is the most likely scenario, even though they will try to deny it.

Well obviously something is up, why else would they change default settings to 2fa just around the time multiple people report
login attempts or stolen funds.

If true, it's kinda irresponsible for them to not notify anyone to at least change passwords.

BitSend ◢◤Clients | Source
www.bitsend.info
█▄
█████▄
████████▄
███████████▄
██████████████
███████████▀
████████▀
█████▀
█▀












Segwit | Core 0.14 | Masternodes
XEVAN | DK3 | Electrum soon
Bitcore - BTX/BTC -Project












BSD -USDT | Bittrex | C.Gather | S.Exchange
Cryptopia | NovaExchange | Livecoin
Litebit.eu | Faucet | Bitsend Airdrop













████
 ████
  ████
   ████
    ████
     ████
      ████
       ████
        ████
       ████
      ████
     ████
    ████
   ████
  ████
 ████
████

████
 ████
  ████
   ████
    ████
     ████
      ████
       ████
        ████
       ████
      ████
     ████
    ████
   ████
  ████
 ████
████
e-coinomist
Legendary
*
Offline Offline

Activity: 1218


Bountie- Do You Have Game?


View Profile
September 09, 2017, 01:03:21 AM
 #43

I think this is recently added.. or you had 2FA via email.. It never asked me to check my email to log into.. This is possible if a database leak has occured, which is the most likely scenario, even though they will try to deny it.

Well obviously something is up, why else would they change default settings to 2fa just around the time multiple people report
login attempts or stolen funds.

If true, it's kinda irresponsible for them to not notify anyone to at least change passwords.

Indeed, such an anouncement could cause panik withdrawals, similar in effect to a bankrun. Any tradeside that cannot pay back deposits in a timely manner will have to sweat out over each and every breach in security.

I had been sweating when a BTC withdrawal took like 15 hours, and they are paying network average fees so no fault on their side.

MySeriousFaceIsOn
Jr. Member
*
Offline Offline

Activity: 57


View Profile
September 11, 2017, 11:59:18 PM
 #44

I dunno how I missed this thread for so long, but let me state immediately and categorically that no data breach of any kind has happened at Cryptopia. Our support team has been bogged down by many situations similar to what was described in this thread, however in the many cases we've had to investigate there were some pretty common themes.

In some situations, an external data breach caused an email box of one of our users to become compromised, which was then used to reset the password of the associated account - in many instances, these accounts had no 2FA, or email 2FA to the email account which had already been owned.
In some situations, an external data breach caused a Cryptopia account to be directly compromised due to a shared login between Cryptopia and where ever the data breach occurred. In some of these instances the accounts received emails from us stating that an unsuccessful login had occurred before the correct username/password combination from the breach was used, and in other instances the correct username/password was submitted on the first attempt and no emails from us were sent.
We had a case where Google Auth was bypassed, however the user was using Google Auth as a Chrome extension and we concluded that the malicious user gained remote access to that persons computer, which included an auto-login session to the email associated with the Cryptopia account, and of course access to the browser for 2FA.
Outside of the above not-Cryptopia problem, no accounts with Google Auth or Cryptopia Auth were breached as part of the phishing attacks and data breaches that are outside of Cryptopia's control.

At the end of the day our user's account can only be as secure as the users set them up to be. We recently went and forced Email 2FA onto every account which had no 2FA, which has reduced this occurring but hasn't stopped it. One of the most heartbreaking things about some of our interactions with users that have been ripped off in this fashion is that they often blame our security rather than reflecting on what happened on their end; the end result being that they don't go and enable 2FA, ensure they have unique passwords everywhere, check for and remove malware, research and apply security best practices, etc, which ultimately leaves them open for a repeat incident.

What we've learned from this is that we need to go away and really look at how to use our site's pages and emails to educate our users and the crypto community around how security actually works. We need to update our 2FA pages to detail the strengths and weaknesses in various types of 2FA so that our users can make better decisions or at least be aware of the risks that they're taking with their choices; we need to update some of our email templates so that it tells you what's going on and provides an explanation of what this means and suggests some actions you may want to take - we discovered that most users didn't know how to react to a 'someone tried to log into you account and failed' email. We want to get to get our support tools, processes and headcount sorted so that we can be the first exchange to offer live chat support and be available to help our users in their moments of panic. The Crytpo community is growing rapidly and a factor of this is that many people that weren't the earliest of adopters aren't aware of the level of security paranoia that is required when you have a bunch of money sitting on accounts/computers that are connected to the internet.

If you go to our website, you will note that we use a different type of SSL cert to most other exchanges; it's not just 'Secure' but 'You're securely connected to Cryptopia Ltd [NZ]'. This is called an EV SSL certificate, which to obtain we have to be thoroughly vetted by Comodo as a real business that exists at a real location in the real world. https://en.wikipedia.org/wiki/Extended_Validation_Certificate This is one of those security features where most users out there don't realize what the significance of a green address bar is compared to a white one. The benefit for us, is simply that it's harder for our users to be phished, because while a phishing site could have a minor change to the domain, they won't be able to replicate our SSL cert - but this only helps users that know what they're looking for.

Anyway, again, Cryptopia wasn't hacked.
xtraelv
Full Member
***
Offline Offline

Activity: 152


View Profile
September 14, 2017, 08:41:31 AM
 #45


Well obviously something is up, why else would they change default settings to 2fa just around the time multiple people report
login attempts or stolen funds.

If true, it's kinda irresponsible for them to not notify anyone to at least change passwords.

Yes - something is up - but not with Cryptopia. Insecure websites like bitcointalk, bitmain, bithumb have all been hacked and disclosed user data. Add to that the adobe hack and several others where email data, passwords and other information was taken.  You can check here if your email has been disclosed in some of the large known hacks  : https://haveibeenpwned.com/

One of my personal emails features in there 4 times.

WITH THAT INFORMATION if the PASSWORD AND EMAIL of the hacked site is the same as used on Cryptopia then the hacker has access to the account on Cryptopia.

WITH THAT INFORMATION if the PASSWORD AND EMAIL of the hacked site is the same as the users email used for Cryptopia then the hacker has access to the "reset password" feature.

If the hacker simply tries to log into the site then they have access using valid credentials. - so no actual hack occurs on Cryptopia - a email informing of a sucessful logon is sent (if enabled by the user in the user settings) .

If the hacker simply tries to log into the site and the password is different - wrong - an attempted logon email is sent.

If 2FA is enabled the hacker fails -  an attempted logon email is sent.

In other words - if I have your email address then I can try to log onto your account - if the password is wrong then an attempted logon email is sent.


Changing the settings to default use of 2FA is an attempt by Cryptopia to further protect users that have left it disabled.

Other exchanges have had login attempts too but don't notify users that an attempt to login has been made.

The more money investors have sunk into a shitcoin, the more they will defend it. Not only to rationally increase their wealth, but to preserve the illusion.
spinttt
Newbie
*
Offline Offline

Activity: 15


Ja mon


View Profile WWW
October 12, 2017, 04:19:53 PM
 #46

This just happened to me ..  Huh My fault for not enabling 2 factor on this account .. I am pissed..
HitbtcSCAM
Member
**
Offline Offline

Activity: 70


View Profile
October 12, 2017, 07:34:50 PM
 #47

not hacked you were robbed by the admins
ivanst776
Legendary
*
Offline Offline

Activity: 1162



View Profile
October 13, 2017, 08:26:17 AM
 #48

This just happened to me ..  Huh My fault for not enabling 2 factor on this account .. I am pissed..
Security is paramount for every user and it is always in their hands. Enabling the 2FA for an account helps to build the security of an account further and all these settings should not be overlooked. I hope you have learnt your lessons now and so sorry for your loss. However, some of these exchanges though, why not find a better alternative like bittrex?

VEEGOLD
Member
**
Offline Offline

Activity: 98

Iron sharpeneth iron BTC 13TZeA5bWGfrAsUqbnAUiQHhq


View Profile
October 19, 2017, 10:48:39 PM
 #49

One of my friend (known from bitcoinralk)also lost his bitcoin from cryptopia. but how its possible!!? every time when i tried to log into my cryptopia account it asked me a code that come into my email.after interning the code there i can access my cryptopia account.so is it possible to hack my account?
I am also thinking about 2FA , I would set it asap.
  well once you have set up 2fa on your account it becomes a bit safer

██████████  ✔  PoSToken - First PoS Smart Contract Token - Get Your Free Tokens Now!
█     PoSToken    █  ✔  Free Airdrop ●  No-ICO  ●  100% Annual Interest First Year
██████████  ✔  ANN ●  WebSite  ●  Twitter  ●  Slack  ●  Whitepaper
heavensopen
Sr. Member
****
Offline Offline

Activity: 416



View Profile WWW
November 04, 2017, 05:00:54 PM
 #50

Guys, most of us are using the same email address to log into multiple sites, exchanges among them.

You need to make sure your email is safe and secure, then use a very long and random character UNIQUE password for every login to any site, not just exchanges...... I know, it is tricky and requires a lot of work to keep track of hundreds of random passwords (there are some tools to help you though) but it really pays off.
Also, enable 2FA wherever possible - and I dont mean an email sent to you to click on a link: I mean real 2FA, with SMS to your mobile phone or a trusted 3rd party authenticator. There are several sites getting hacked daily, user lists are being leaked by a bad employee or even user lists with passwords being sold after a site (especially an exchange) shuts down.

And of course, never leave your coins on any exchange if you are not trading 24/7. Even if you do, withdraw your profits on a weekly basis, you never know when and where a thunder strikes.

Be safe, not sorry.
freebutcaged
Hero Member
*****
Offline Offline

Activity: 490


View Profile
November 04, 2017, 05:31:42 PM
 #51

not hacked you were robbed by the admins
Mate did you pay any money to say that? of course you didn't because as an admin is free at any time to take all the funds from users accounts, you

Could as well say something like what you said above, I don't understand some traders, investors etc, it's like they are using exchanges as their personal

Wallets, I wouldn't blame them because it's really hard to keep all your shitcoins in order in a single wallet, even if there are some wallets capable of

Storing many altcoins, not everyone knows they exist, people are depositing onto exchanges, they will wait for prices to move then doing buy>sell and

Sell>buy to earn something but have no idea how dangerous it is to hold their coins on an exchange for more than 1 hour, you are not supposed to use

Them like that, when you have some coin to sell, you'll deposit>sell>withdraw, or deposit>buy>withdraw.
richardsNY
Legendary
*
Offline Offline

Activity: 896


View Profile
November 04, 2017, 11:46:58 PM
 #52

Guys, most of us are using the same email address to log into multiple sites, exchanges among them.

That's the reason people should use a different email address for each and every service or site of importance. I do so too, and have never had any problems with anything. In some cases certain sites get their database hacked, which mostly results in you getting spam and phishing mails, and that's obviously not something people look forward to. Since it's just one email address being connected to one site or service, you can change it without going through much hassle.

heavensopen
Sr. Member
****
Offline Offline

Activity: 416



View Profile WWW
November 05, 2017, 05:18:30 AM
 #53

Guys, most of us are using the same email address to log into multiple sites, exchanges among them.

That's the reason people should use a different email address for each and every service or site of importance. I do so too, and have never had any problems with anything. In some cases certain sites get their database hacked, which mostly results in you getting spam and phishing mails, and that's obviously not something people look forward to. Since it's just one email address being connected to one site or service, you can change it without going through much hassle.

This is true, but I am not going to monitor hundreds (or thousands) of email addresses - and most people don't want to and don't even have the means to do so. Its pretty easy when you own an email server and create numerous aliases, dumping them when the "job" is finished but we are talking about the average user here, not a server admin.
And of course, disposable email addresses are out of the question, since they provide zero security, anyone can read mail sent to them.

In practice, best you can do is to have a secure and serious email provider, take precautions and have common sense. Thats the main problem most people are facing with exchanges, if their email is breached, funds held in their account can vanish. And this is why 2FA has a critical role in all this.
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!