Cryptopia hacked !?

[drm]

One of my friend (known from bitcoinralk)also lost his bitcoin from cryptopia. but how its possible!!? every time when i tried to log into my cryptopia account it asked me a code that come into my email.after interning the code there i can access my cryptopia account.so is it possible to hack my account?
I am also thinking about 2FA , I would set it asap.

I think this is recently added.. or you had 2FA via email.. It never asked me to check my email to log into.. This is possible if a database leak has occured, which is the most likely scenario, even though they will try to deny it.

Well obviously something is up, why else would they change default settings to 2fa just around the time multiple people report
login attempts or stolen funds.

If true, it's kinda irresponsible for them to not notify anyone to at least change passwords.

[1714000850]

1714000850

[1714000850]

1714000850

[e-coinomist]

I think this is recently added.. or you had 2FA via email.. It never asked me to check my email to log into.. This is possible if a database leak has occured, which is the most likely scenario, even though they will try to deny it.

Well obviously something is up, why else would they change default settings to 2fa just around the time multiple people report
login attempts or stolen funds.

If true, it's kinda irresponsible for them to not notify anyone to at least change passwords.

Indeed, such an anouncement could cause panik withdrawals, similar in effect to a bankrun. Any tradeside that cannot pay back deposits in a timely manner will have to sweat out over each and every breach in security.

I had been sweating when a BTC withdrawal took like 15 hours, and they are paying network average fees so no fault on their side.

[MySeriousFaceIsOn]

I dunno how I missed this thread for so long, but let me state immediately and categorically that no data breach of any kind has happened at Cryptopia. Our support team has been bogged down by many situations similar to what was described in this thread, however in the many cases we've had to investigate there were some pretty common themes.

In some situations, an external data breach caused an email box of one of our users to become compromised, which was then used to reset the password of the associated account - in many instances, these accounts had no 2FA, or email 2FA to the email account which had already been owned.
In some situations, an external data breach caused a Cryptopia account to be directly compromised due to a shared login between Cryptopia and where ever the data breach occurred. In some of these instances the accounts received emails from us stating that an unsuccessful login had occurred before the correct username/password combination from the breach was used, and in other instances the correct username/password was submitted on the first attempt and no emails from us were sent.
We had a case where Google Auth was bypassed, however the user was using Google Auth as a Chrome extension and we concluded that the malicious user gained remote access to that persons computer, which included an auto-login session to the email associated with the Cryptopia account, and of course access to the browser for 2FA.
Outside of the above not-Cryptopia problem, no accounts with Google Auth or Cryptopia Auth were breached as part of the phishing attacks and data breaches that are outside of Cryptopia's control.

At the end of the day our user's account can only be as secure as the users set them up to be. We recently went and forced Email 2FA onto every account which had no 2FA, which has reduced this occurring but hasn't stopped it. One of the most heartbreaking things about some of our interactions with users that have been ripped off in this fashion is that they often blame our security rather than reflecting on what happened on their end; the end result being that they don't go and enable 2FA, ensure they have unique passwords everywhere, check for and remove malware, research and apply security best practices, etc, which ultimately leaves them open for a repeat incident.

What we've learned from this is that we need to go away and really look at how to use our site's pages and emails to educate our users and the crypto community around how security actually works. We need to update our 2FA pages to detail the strengths and weaknesses in various types of 2FA so that our users can make better decisions or at least be aware of the risks that they're taking with their choices; we need to update some of our email templates so that it tells you what's going on and provides an explanation of what this means and suggests some actions you may want to take - we discovered that most users didn't know how to react to a 'someone tried to log into you account and failed' email. We want to get to get our support tools, processes and headcount sorted so that we can be the first exchange to offer live chat support and be available to help our users in their moments of panic. The Crytpo community is growing rapidly and a factor of this is that many people that weren't the earliest of adopters aren't aware of the level of security paranoia that is required when you have a bunch of money sitting on accounts/computers that are connected to the internet.

If you go to our website, you will note that we use a different type of SSL cert to most other exchanges; it's not just 'Secure' but 'You're securely connected to Cryptopia Ltd [NZ]'. This is called an EV SSL certificate, which to obtain we have to be thoroughly vetted by Comodo as a real business that exists at a real location in the real world. https://en.wikipedia.org/wiki/Extended_Validation_Certificate This is one of those security features where most users out there don't realize what the significance of a green address bar is compared to a white one. The benefit for us, is simply that it's harder for our users to be phished, because while a phishing site could have a minor change to the domain, they won't be able to replicate our SSL cert - but this only helps users that know what they're looking for.

Anyway, again, Cryptopia wasn't hacked.

[xtraelv]

Well obviously something is up, why else would they change default settings to 2fa just around the time multiple people report
login attempts or stolen funds.

If true, it's kinda irresponsible for them to not notify anyone to at least change passwords.

Yes - something is up - but not with Cryptopia. Insecure websites like bitcointalk, bitmain, bithumb have all been hacked and disclosed user data. Add to that the adobe hack and several others where email data, passwords and other information was taken.  You can check here if your email has been disclosed in some of the large known hacks  : https://haveibeenpwned.com/

One of my personal emails features in there 4 times.

WITH THAT INFORMATION if the PASSWORD AND EMAIL of the hacked site is the same as used on Cryptopia then the hacker has access to the account on Cryptopia.

WITH THAT INFORMATION if the PASSWORD AND EMAIL of the hacked site is the same as the users email used for Cryptopia then the hacker has access to the "reset password" feature.

If the hacker simply tries to log into the site then they have access using valid credentials. - so no actual hack occurs on Cryptopia - a email informing of a sucessful logon is sent (if enabled by the user in the user settings) .

If the hacker simply tries to log into the site and the password is different - wrong - an attempted logon email is sent.

If 2FA is enabled the hacker fails -  an attempted logon email is sent.

In other words - if I have your email address then I can try to log onto your account - if the password is wrong then an attempted logon email is sent.


Changing the settings to default use of 2FA is an attempt by Cryptopia to further protect users that have left it disabled.

Other exchanges have had login attempts too but don't notify users that an attempt to login has been made.

[spinttt]

This just happened to me ..  My fault for not enabling 2 factor on this account .. I am pissed..

[HitbtcSCAM]

not hacked you were robbed by the admins

[ivanst776]

This just happened to me ..  My fault for not enabling 2 factor on this account .. I am pissed..

Security is paramount for every user and it is always in their hands. Enabling the 2FA for an account helps to build the security of an account further and all these settings should not be overlooked. I hope you have learnt your lessons now and so sorry for your loss. However, some of these exchanges though, why not find a better alternative like bittrex?

[VEEGOLD]

One of my friend (known from bitcoinralk)also lost his bitcoin from cryptopia. but how its possible!!? every time when i tried to log into my cryptopia account it asked me a code that come into my email.after interning the code there i can access my cryptopia account.so is it possible to hack my account?
I am also thinking about 2FA , I would set it asap.

  well once you have set up 2fa on your account it becomes a bit safer

[heavensopen]

Guys, most of us are using the same email address to log into multiple sites, exchanges among them.

You need to make sure your email is safe and secure, then use a very long and random character UNIQUE password for every login to any site, not just exchanges...... I know, it is tricky and requires a lot of work to keep track of hundreds of random passwords (there are some tools to help you though) but it really pays off.
Also, enable 2FA wherever possible - and I dont mean an email sent to you to click on a link: I mean real 2FA, with SMS to your mobile phone or a trusted 3rd party authenticator. There are several sites getting hacked daily, user lists are being leaked by a bad employee or even user lists with passwords being sold after a site (especially an exchange) shuts down.

And of course, never leave your coins on any exchange if you are not trading 24/7. Even if you do, withdraw your profits on a weekly basis, you never know when and where a thunder strikes.

Be safe, not sorry.

[freebutcaged]

not hacked you were robbed by the admins

Mate did you pay any money to say that? of course you didn't because as an admin is free at any time to take all the funds from users accounts, you

Could as well say something like what you said above, I don't understand some traders, investors etc, it's like they are using exchanges as their personal

Wallets, I wouldn't blame them because it's really hard to keep all your shitcoins in order in a single wallet, even if there are some wallets capable of

Storing many altcoins, not everyone knows they exist, people are depositing onto exchanges, they will wait for prices to move then doing buy>sell and

Sell>buy to earn something but have no idea how dangerous it is to hold their coins on an exchange for more than 1 hour, you are not supposed to use

Them like that, when you have some coin to sell, you'll deposit>sell>withdraw, or deposit>buy>withdraw.

[richardsNY]

Guys, most of us are using the same email address to log into multiple sites, exchanges among them.

That's the reason people should use a different email address for each and every service or site of importance. I do so too, and have never had any problems with anything. In some cases certain sites get their database hacked, which mostly results in you getting spam and phishing mails, and that's obviously not something people look forward to. Since it's just one email address being connected to one site or service, you can change it without going through much hassle.

[heavensopen]

Guys, most of us are using the same email address to log into multiple sites, exchanges among them.

That's the reason people should use a different email address for each and every service or site of importance. I do so too, and have never had any problems with anything. In some cases certain sites get their database hacked, which mostly results in you getting spam and phishing mails, and that's obviously not something people look forward to. Since it's just one email address being connected to one site or service, you can change it without going through much hassle.

This is true, but I am not going to monitor hundreds (or thousands) of email addresses - and most people don't want to and don't even have the means to do so. Its pretty easy when you own an email server and create numerous aliases, dumping them when the "job" is finished but we are talking about the average user here, not a server admin.
And of course, disposable email addresses are out of the question, since they provide zero security, anyone can read mail sent to them.

In practice, best you can do is to have a secure and serious email provider, take precautions and have common sense. Thats the main problem most people are facing with exchanges, if their email is breached, funds held in their account can vanish. And this is why 2FA has a critical role in all this.

[Olegross]

Hello.
Withdraw all currency ordinary transfer. Two-factor authentication enabled, the password is rather complicated. No failed login attempts. Support cryptopia is silent. Not mind the money, there were few, as it is unclear whether it is possible to use this exchange.

[map_ua]

Same here in 2018 same dates 

Im alone?

1) No email withdrawal
2) No email new ip
3) No email login attempt
4) All coins sold to btc
5) All btc withdrawal

[jhenfelipe]

Same here in 2018 same dates  

Im alone?

You mean you experienced this now? (and you have Grin emoticon?)
What is the scammer's BTC address?

1) No email withdrawal
2) No email new ip
3) No email login attempt

Didn't you secure your acount with 2FA via Authenticator app?

If NOT and you only use Email 2FA to log in plus are using the same password in your email and cryptopia then it's most likely the reason. Your email account was probably hacked as well and the hacker was capable of deleting those cryptopia emails for you to be clueless about what happened.

Though some find it a bit hassle, it's still advisable to Enable 2FA via Authenticator app for all the ff actions:

• Opening Security Settings
• Login
• Lockout
• Withdraw
• Transfer
• Tip

Just save your Auth barcode & key in a safe place and of course, secure your email account.