Bitcoin Forum
March 19, 2024, 04:22:19 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Slush Pool (api.bitcoin.cz) hacked again?  (Read 3229 times)
deebug (OP)
Newbie
*
Offline Offline

Activity: 16
Merit: 0



View Profile
July 18, 2011, 09:24:13 AM
Last edit: July 18, 2011, 08:50:26 PM by deebug
 #1

Hi, on 2011-07-15 21:33:14 my wallet address was changed to ------------------------------------------ and my limit went from 1 to 0.1 and "Notify on payout" wasn't checked any more.
I did not receive a change wallet notification via e-mail which it normally should do if you want to change your wallet address, so I'm assuming this is an internal change (DB value change).
I'm not comfortable with this at all. Are there any other victims? Please speak your mind, I would like to know if I am alone here or not.

The next logical question is, what would be the best alternative for api.bitcoin.cz?
I know there are a LOT of choices and that's the problem... Any founded suggestions would always be welcome Cheesy
Until 2011-07-15 21:33:14 I was pretty happy about the service, they could handle DDoS'es pretty well, almost no connection problems during all my months of mining...

1710822139
Hero Member
*
Offline Offline

Posts: 1710822139

View Profile Personal Message (Offline)

Ignore
1710822139
Reply with quote  #2

1710822139
Report to moderator
"Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710822139
Hero Member
*
Offline Offline

Posts: 1710822139

View Profile Personal Message (Offline)

Ignore
1710822139
Reply with quote  #2

1710822139
Report to moderator
1710822139
Hero Member
*
Offline Offline

Posts: 1710822139

View Profile Personal Message (Offline)

Ignore
1710822139
Reply with quote  #2

1710822139
Report to moderator
MiningBuddy
Hero Member
*****
Offline Offline

Activity: 927
Merit: 1000


฿itcoin ฿itcoin ฿itcoin


View Profile
July 18, 2011, 09:34:50 AM
 #2

Everything is fine from my end.

Are you sure that password wasn't one used on mtgox?

Definitely sounds like you chose a poor password.

deebug (OP)
Newbie
*
Offline Offline

Activity: 16
Merit: 0



View Profile
July 18, 2011, 09:40:42 AM
 #3

Hmm, I'm not like that, you see

- My MtGox password is and was completely different from the one on bitcoin.cz
- Both passwords are 250+ chars long and are chosen by a password management program I'm not going to specify.

Not only that, but suppose someone was able to log in, there is no way they can change the wallet address without me noticing it via my e-mail address.
(trying to change the e-mail address would also be noticable, and the e-mail address hasn't changed)

- My e-mail address has also a 250+ char password which is different from all the others.
- My PC's aren't compromized (that I know of, there's always that creepy feeling I get sometimes and then I do another audit Smiley), and I'm a very very paranoid IT guy. All logins on any level contain strong passwords.


DrHaribo
Legendary
*
Offline Offline

Activity: 2730
Merit: 1034


Needs more jiggawatts


View Profile WWW
July 18, 2011, 12:14:28 PM
 #4

In my pool I use OpenID and let someone else worry about that part of the security. You can log in with a Google account.

Of course I have to store worker passwords. They are salted and heavily hashed in the database. Not sure if worker passwords are really worth protecting, but it just feels safer to be paranoid.

▶▶▶ bitminter.com 2011-2020 ▶▶▶ pool.xbtodigital.io 2023-
MiningBuddy
Hero Member
*****
Offline Offline

Activity: 927
Merit: 1000


฿itcoin ฿itcoin ฿itcoin


View Profile
July 18, 2011, 01:14:30 PM
 #5

In my pool I use OpenID and let someone else worry about that part of the security. You can log in with a Google account.

Of course I have to store worker passwords. They are salted and heavily hashed in the database. Not sure if worker passwords are really worth protecting, but it just feels safer to be paranoid.

Kind of pointless when they are sent over the network plain text, but w/e.

Graet
VIP
Legendary
*
Offline Offline

Activity: 980
Merit: 1001



View Profile WWW
July 18, 2011, 01:19:11 PM
 #6

we use 2 part authentication on the site. so for important changes such as wallet address you need to enter a pin as well.

| Ozcoin Pooled Mining Pty Ltd https://ozcoin.net Double Geometric Reward System https://lc.ozcoin.net for Litecoin mining DGM| https://crowncloud.net VPS and Dedicated Servers for the BTC community
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!