MCXNow Can See your passwords! REALSolid has access to all your Passwords

[QuantPlus]

It's hard to trust a site that can go into your account and look at your password.  This is irresponsible coding.  He needs to answer for this.  Why are you stealing Account info Real solid??

You made me laugh!!! Thanks for that! You think you are safe on BTC-E?!   Think again... My friend had about 800 ltc stolen from BTC-E, and he had unique pass & 2FA enabled!

MCX is by far best and safest exchange out there... Is it perfect?! Maybe not, but it is far superior than others...

MCX did 1500 BTC in volume last 24 hours = $200,000... that is just the beginning...
That's maybe 5 times what Ripple is doing after 6 freaking months.

Nobody is gonna fuck with passwords with a $10,000,000+ business on the line, baby.

[1715042225]

1715042225

[Zyl]

The lack of hashed passwords is the end of mcxNow,
100% of all trust permanently gone.
Total stupidity and irresponsibility on Realsolid's part. This guy is an amateur.
I have withdrawn all funds and I will never use the exchange again.

He was even posting user's passwords into public chat, asking where have you used this password before?

[smoothie]

The lack of hashed passwords is the end of mcxNow,
100% of all trust permanently gone.
Total stupidity and irresponsibility on Realsolid's part. This guy is an amateur.
I have withdrawn all funds and I will never use the exchange again.

He was even posting user's passwords into public chat, asking where have you used this password before?

Have any screenshots of that?

[flound1129]

If you are using MCXnow, be very careful!  RealSolid and his cronies has access to all your password.  This came directly from his mouth in chat. 

So If you have an account there make sure you withdraw those coins soon.  RealSolid has access to every single account's password.

Change your BTCE and other passwords to protect yourself against RealSolid and his crew.

Ask him yourself, this is from his own mouth.  He's not to be trusted.

Why in the fuck would you use a non-unique password on any bitcoin site?

[TheFuneral]

If you are using MCXnow, be very careful!  RealSolid and his cronies has access to all your password.  This came directly from his mouth in chat. 

So If you have an account there make sure you withdraw those coins soon.  RealSolid has access to every single account's password.

Change your BTCE and other passwords to protect yourself against RealSolid and his crew.

Ask him yourself, this is from his own mouth.  He's not to be trusted.

do you know how computers work?

[mechs]

If you are using MCXnow, be very careful!  RealSolid and his cronies has access to all your password.  This came directly from his mouth in chat. 

So If you have an account there make sure you withdraw those coins soon.  RealSolid has access to every single account's password.

Change your BTCE and other passwords to protect yourself against RealSolid and his crew.

Ask him yourself, this is from his own mouth.  He's not to be trusted.

Why in the fuck would you use a non-unique password on any bitcoin site?

Exactly!

[Zyl]

Have any screenshots of that?

I didn't think of it at the time. Go on chat and ask other users, they will remember.
Or request a chat log from RS for security reasons.

"Realsolid: Soandso, what other sites have you used password garbanzobunk on?"
Almost identical words to that, I don't remember their exact password though.

[shakezula]

Have any screenshots of that?

I didn't think of it at the time. Go on chat and ask other users, they will remember.

"Realsolid: Soandso, what other sites have you used password garbanzobunk on?"

Almost identical words to that, I don't remember their exact password though.

As someone who was there lurking when this happened, I'd like to offer a bit of context (though I have no screenshots).

The question was posed, "What site did the leaked passswords come from?"

The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

The conversation then went back and forth and it was mentioned multiple times that the passwords being attempted could be seen by the admin and consequently by users logging in (but only the first 4 letters and ****s). The group was making an effort using the passwords to try and determine which site the leaked database may have come from. These were NOT mcxNOW passwords, rather they were the passwords which were tried against mcxNOW.

I agree 110% that having unsalted plain text passwords on ANY site with $$ involved is MORONIC. However, I also agree that if you're dim enough to use a password that's not unique on ANY site with $$ involved you're asking for trouble. I'm not condoning nor defending RS or mcxNOW's site, I just thought for vitriol's sake I'd share. I don't see how its anyone but the user's fault if their passwords are the same; then again the troll box isn't really the best place to ctrl+v any passwords whatsoever.

[Zyl]

The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

He posted their full password, with no ******'s.
The ***'s is a recent thing he switched over to today only.
You may have been lurking for a different conversation than the one I refer to.

Other people who were there will remember.

One password was like monkeynuts or something. But I can't remember exactly.

[drummerjdb666]

The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

He posted their full password, with no ******'s.
The ***'s is a recent thing he switched over to today only.
You may have been lurking for a different conversation than the one I refer to.

Other people who were there will remember.

One password was like monkeynuts or something. But I can't remember exactly.

This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!

[Zyl]

This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!

Absolutely false. You are not being truthful. For example, he asked a user whose password was COMPLETELY UNRELATED to their chat username, about their full plaintext password.

Somebody else will verify this.

[FrigidWinter]

This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!

Absolutely false. You are not being truthful. For example, he asked a user whose password was COMPLETELY UNRELATED to their chat username, about their full plaintext password.

Somebody else will verify this.

Cant 100% Verify that

But he admitted to entering the usernames/passwords of users at other sites to attempt to gain access. Whether or not it was to find the leak its a questionable practice

[Zyl]

I was there. You were not.

Ask realsolid for a chat log of yesterday.
Or ask somebody who is using the API and possibly has a local log.

[yyshowku]

oh  mg. thank your message.                               

[JCaferJr]

Zyl - Since your leaving mcxNOW, I'll take your mcxFEE shares!  ;o)

[sega01]

I thought I'd chime in here.

#7 rule of the internet: Use unique passwords for anything remotely important. Especially places where you hold money. If you follow this rule, these claims are irrelevant to you.

Secondly, I'm not even sure if this is correct. As a developer, I have a bit of a conundrum over whether I would do this or not. Generally, I prefer simpler code, and plaintext is as simple as you can get for passwords. While it may put the users at risk if something is compromised, I would rather tell my users that they *must* use a unique password and let them deal with the consequences if they do not.

And off topic, MCXNow is an awesome exchange in my opinion.

[Duffer1]

Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.

[Etlase2]

Which is why the web is not a good platform for important applications like financial apps.

Better would be client-side encryption where the server does not ever see your keys, like Open Transactions uses for example.

-MarkM-

I remember someone working on something like this for BTC. Something that ran locally in your browser, but interfaced with a remote site. Maybe I'm misremembering about exactly what it did, but I remember thinking it was pretty cool. dunno what became of it though.

[Alex P]

Don't blame me for reporting the truth.  All the information I post is true.  And I am pointing these things out because I am a reporter in my normal job and this type of thing is something people want to know!  So if it's false then prove it. But out of his own mouth, Realsolid can see each and every one of our passwords.

Stick to the facts.

Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.

[MarpleTrading]

Don't blame me for reporting the truth.  All the information I post is true.  And I am pointing these things out because I am a reporter in my normal job and this type of thing is something people want to know!  So if it's false then prove it. But out of his own mouth, Realsolid can see each and every one of our passwords.

Stick to the facts.

Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.

Then you are a reporter the world does not need. Go find scandals that really are abuses, not things every site admin can do if he chooses so. You are only reporting this with the sole purpose of discrediting RealSolid. Why are you sol jealous>