Just had 39.70 bitcoins stolen from blockchain account!

[NewLiberty]

The hacker caused the hacking.
Stronger defenses might prevent future attempts.

[1715084681]

1715084681

[1715084681]

1715084681

[1715084681]

1715084681

[1715084681]

1715084681

[01BTC10]

Did a test on blockchain.info OTP and they are 1 time use only.

[BCB]

Did a test on blockchain.info OTP and they are 1 time use only.

cool

[sublime5447]

Honestly I hear about people getting robbed from Blockchain all the time - Two-factor auth when using google is not real two-factor, it's an illusion because if one password is compromised by an infected computer so is the other.

The solution is to STOP USING ONLINE WALLETS TO STORE VALUE - If you need to use them for transactional stuff, then do it but keeping 5000usd on blockchain is just screaming rob me.

Plus one it is a hosted wallet not your wallet at any point the operators can cut and run...

[DeathAndTaxes]

Honestly I hear about people getting robbed from Blockchain all the time - Two-factor auth when using google is not real two-factor, it's an illusion because if one password is compromised by an infected computer so is the other.

The solution is to STOP USING ONLINE WALLETS TO STORE VALUE - If you need to use them for transactional stuff, then do it but keeping 5000usd on blockchain is just screaming rob me.

Plus one it is a hosted wallet not your wallet at any point the operators can cut and run...

How do they do that exactly?

[Pierre]

Well, they just change their code to steal your password and BAM you're screwed.

[sublime5447]

Yep I dont know who runs the site but someone has access to the user name and passwords.

[MikeyVeez]

ohh noez

[scintill]

Yep I dont know who runs the site but someone has access to the user name and passwords.

That's quite the accusation to a site that claims passwords are managed completely client-side (and have decent proof of that: open-source wallet code and in-browser code verifier.)  Do you have any sources for this claim, or original research that makes you believe this?

I do have to admit there is something going on -- assuming the reports aren't false, there has been a rash of unexplained blockchain.info thefts lately.  I'm inclined to trust the site operators, but maybe they have a security hole, or someone has managed to stealth-compromise several systems of people who are pretty savvy.

[strellos]

bad for you, good for hacker

[ranlo]

Did a test on blockchain.info OTP and they are 1 time use only.

What does this mean, exactly? That once you log in, the mechanism (erm, I guess the "confirmation") changes?

[daemondazz]

Did a test on blockchain.info OTP and they are 1 time use only.

What does this mean, exactly? That once you log in, the mechanism (erm, I guess the "confirmation") changes?

That the same code cannot be entered and accepted by the site twice.

[BCB]

An OTP  (one time password) can be generated by Google authentication (http://en.wikipedia.org/wiki/Google_Authenticator) or could be transmitted to your mobile phone by text from the server you are trying to authenticate with.

Once you as the client enter that OTP on the server, the server should immediately invalidate that otp so that it can not be used again by you or an attacker.  With google auth a new pass code, based on time, is generate every minute and should be invalidated every minute or when use by the server.  (some servers allow a slight delay for ease of use).

However if the server you are authenticating with does NOT invalidate the OTP immediately after you enter it correctly,  an attacker with code or a keylogger on your local machine could also log in to your account with the same OTP and gain full access to your secure account.

I tested this on mount gox and an otp replay attack was possible, however they have since patched this.

01BTC10 says he tested this on blockchainwallet.info and this vulnerability does not exist there.

You can try is your self.  If you use otp on any account, long in successfully with one client then open another tab or browser and log in again with the same otp.  Then let time pass.  The longer period of time the server allows you to use the same OTP token the move vulnerable it is.

[fortheyu]

Only rational cause the comes to my mind would be a keylogger

[BCB]

I PM'd the op for more information yesterday but he didn't respond. It is likely that he had a easily guessable alias, no two factor authentication and an insufficiently strong main password. The way aliases work has changed recently but old accounts with no email associated and easily guessable aliases are most vulnerable.

Without two factor authentication there is no protection from keyloggers or malware. Even with two factor authentication I highly suggest that any coins which don't need to be stored online be stored on a paper wallet. There is dedicated bitcoin stealing malware about (targeting desktop clients as well).

[nicktm94]

That's why you shouldn't have used an online wallet

[ranlo]

That's why you shouldn't have used an online wallet

Honestly, I think offline wallets are just as dangerous for most people. If they aren't able to keep their online passwords secure, I don't see how they will be able to go through the offline security.

[ProfMac]

Somebody has hacked my blockchain account and took everything i had all 39.70btc ive been mining for months!

Im even sat here watching transactions being confirmed and can see the 2 accounts its all now held in, via blockchain info!

Anbody got any advice?

I am sorry for your loss, and I am terrified that I may have the same vulnerability.
I have read all the posts to try to find anything that makes sense to me.

I am looking in my own account under Account Settings --> Security --> 2 Factor Authentication
There are several choices:

• none
  SMS
  YubiKey
  eMail
  Google Authenticator
  

Will you disclose which of these you had?
I'm glad that you posted this.  I would not have known about the YubiKey choice if I had not looked there today.  I will switch from eMail to YubiKey.
Do I understand correctly that an Android phone was part of your environment?

update:
I cannot seem to activate the YubiKey status.  The YubiKey provides the code into the text box, no other indication of activity happens, and the account is left in the "none" choice, very surprising behavior, I think.


and another thing...
My daughter and I were shot some years ago by her boyfriend.  She died.  A lot of people played "blame the victim" at that time.  The prosecutor had a very clear statement about this:  nothing that she did was bad enough to justify her death.
It is disgusting to blame the victim.  Karma is strong; your own turn will come.

[BCB]

ranlo

I agree

A key logger or local virus has just as much access to your local wallet as to your hosted wallet.

I think the bigger concern for hosted wallets is loss of connectivity and/or unscrupulous/incompetent/or just plain stupid business owners.

(None of which I think applies to blockchain.info who I regard at one of the best if not the best hosted wallet out there.)

But more to your point, secure, complex password, not used on any other site or service is essential.

Hopefully bitcoin will continue to develop more secure (and easy) short and long term storage options.

But you can't get everyone to do that.  Unfortunately (as we've seen here again and again) it take a few hundred or a few thousands or more of loss for user to take bitcoin security seriously.

 
I guarantee you every single person who has suffered a compromise has changed every password, made then unique and enabled 2FA where they can.  Untill then I guess it is just a cost benefit (time/benefit) analysis really.

what have you got to lose (except all your bitcoin).

[Rampion]

Somebody has hacked my blockchain account and took everything i had all 39.70btc ive been mining for months!

Im even sat here watching transactions being confirmed and can see the 2 accounts its all now held in, via blockchain info!

Anbody got any advice?

I am sorry for your loss, and I am terrified that I may have the same vulnerability.
I have read all the posts to try to find anything that makes sense to me.

I am looking in my own account under Account Settings --> Security --> 2 Factor Authentication
There are several choices:

• none
  SMS
  YubiKey
  eMail
  Google Authenticator
  

Will you disclose which of these you had?
I'm glad that you posted this.  I would not have known about the YubiKey choice if I had not looked there today.  I will switch from eMail to YubiKey.
Do I understand correctly that an Android phone was part of your environment?

Don't use Yubikey unless you have a Yubikey (it's a physical USB device). And AFAIK blockchain.info do not have their proprietary yubikeys, you have to use a Gox Yubikey, which is absurd IMO (the whole point of 2FA is to use a UNIQUE mechanism for each account).

I'd suggest using SMS because you do not need a smartphone and you can easily and immediately recover your phone number even if you lose your device. Google authenticator is good too, but you need to have a proper paper backup of the QR code and/or the private key of the security token linked to the account (this is mandatory or you may very well end up having the same problem described in the "I want to sue Google" thread in the legal subforum)