I just got hacked!

[Dansker]

Hello fellow bitcoiners.

Learning the hard way last time MtGox was hacked, I made a seperate e-mail account for use on bitcoin related sites I don't really trust.

Now that e-mail has been hacked, and I have just recovered my access to it.

The hacker, according to gmail, was:

Browser  Lithuania (78.58.51.114)  Jul 25 (16 hours ago)

Only thing he could have compromised using this e-mail is my account with bitbetter, the other accounts I had made using this e-mail were worthless stuff.

Just though I would let you guys know that people are actively trying to access e-mail adresses used for bitcoin related stuff!

[1713545487]

1713545487

[1713545487]

1713545487

[klaus]

since it is available a have a yubikey from mtgox. 4 days after free order i had it in my hands in germany. after the first login via yubikey i can not login without in my account. i feel very save now.

[BusmasterDMA]

Now that e-mail has been hacked, and I have just recovered my access to it.

The hacker, according to gmail, was:

Browser  Lithuania (78.58.51.114)  Jul 25 (16 hours ago)

Just curious how would you guess they gained access to your gmail account?

Trojan keylogger on a system you've used?
Lucky guess of the password?
Knowing answers to account recovery questions?

[Mousepotato]

Turn on 2-step verification.  So even if you have a keylogger on your system, it wouldn't matter.  But then again your Email account would probably be the last of your worries if you had a logger.

[jackjack]

Now that e-mail has been hacked, and I have just recovered my access to it.

The hacker, according to gmail, was:

Browser  Lithuania (78.58.51.114)  Jul 25 (16 hours ago)

Just curious how would you guess they gained access to your gmail account?

Trojan keylogger on a system you've used?
Lucky guess of the password?
Knowing answers to account recovery questions?

Bruteforce on the leaked Mtgox accounts file

[Mike Hearn]

This usually means a site you signed up with has been hacked and the password database dumped. A list of sites that you used it to register with would be helpful.

[Mousepotato]

since it is available a have a yubikey from mtgox. 4 days after free order i had it in my hands in germany. after the first login via yubikey i can not login without in my account. i feel very save now.

How'd you get your Yubikey for free?  They're asking $29.99 for them now

[klaus]

since it is available a have a yubikey from mtgox. 4 days after free order i had it in my hands in germany. after the first login via yubikey i can not login without in my account. i feel very save now.

How'd you get your Yubikey for free?  They're asking $29.99 for them now

I was one with rolling back trades after the flash-crash.

[Dansker]

My guess is that a site I have signed up with has either been compromised (I used this email to sign up for loads of "free bitcoins"-offers) og was built with the intent of gather e-mails/passes.

I may even have re-used the pw, so it could be that these sites are set up to harvest email/pw of bitcoin users. It must either be that, or that my very simple pw was guessed somehow.

Just goes to show that you can never be too careful, and I sure am glad this was a gmail I made with the intent purpose of signing up for shit offers.

[defxor]

I may even have re-used the pw

or that my very simple pw was guessed somehow

http://lastpass.com

Seriously - once you start you'll never understand why it took you so long.

One new completely random password for each site. Always.

(And just to pre-empt some common responses from those who don't verify what the site is about - no - your passwords are never transmitted to nor stored with LastPass)

[cepler]

This is an example of a password I might use:

$=7rq2]6oLQa^K}3ni4U<4Ylpp8?0p|1@n7Nld[g

Randomize your passwords and make them long.  Use a password manager and keep the password database on a flash drive.  True, if they get the database or log your passwords you're screwed but you're pretty much screwed at that point anyhow and this will cover the most obvious attacks, bruteforcing the encrypted password database.

I cringe when I see some of the passwords people use and how often they use them on other sites!  BAD BAD BAD!  NEVER EVER EVER EVER >>EVER<< use a password on two sites, and your E-Mail password should be the ultimate utmost strong password and protected like a 500 lb block of platinum.  Think about it, when you forget a password what do most sites do?  E-Mail it back to you or send you a link to change it.  If someone gets that E-Mail password they can have a field day getting into your other accounts.

[cepler]

I may even have re-used the pw

or that my very simple pw was guessed somehow

http://lastpass.com

Seriously - once you start you'll never understand why it took you so long.

One new completely random password for each site. Always.

(And just to pre-empt some common responses from those who don't verify what the site is about - no - your passwords are never transmitted to nor stored with LastPass)

And if you don't trust the way that Lastpass works:

http://www.keepass.info/

and

http://agilebits.com/products/1Password

Are two of my favorite password database apps.  1Password is nice because it's very cross-platform between Mac, PC and iPhone etc...

[Dansker]

All good advice in this thread!

I have different e-mails with different passwords.

I deliberately didn't make a difficult pw for this account, and wasn't careful about where I used it, since I only intended to use it for sites sending me money, not me sending anything.

I must admit, I am surprised someone actually took the time to gain access to this e-mail address, and change my pw (I recovered it via alt. e-mail) - and that is the most important fact I would like to share with you: People out there are actively trying all they can to steal bitcoins, and you need to not trust any random bitcoin sites/people.

[joulesbeef]

I love lastpass for it;s ease of use.. it will come up with pseudo random passwords that are very strong, and then enter them for you when you need them, and you can long into lastpass from anywhere and get your passes...however... they once had an odd security issue and I dont think it actually ended up being anyones passes being stolen but they emailed everyone and asked them to change their masterpass and highlights the problem of leaving your pass in on a corp system you dont control, especially when it might be a big target of hacks for the trove of passes it contains. SO far they have been good though... i belive, I havent looked more into that incident but I didnt see a lot of noise about it either.

keypass is a solution around the idea of letting a company have control of your passwords like lastpass. With keypass you keep your encrypted password file. It lacks some ease of use of lastpass but if you use keypass and put it on a usbkey or better a dropbox, you can have similar functionality as lastpass in that you can access your passes from anywhere.