Dansker (OP)
|
|
July 26, 2011, 02:46:12 PM |
|
Hello fellow bitcoiners.
Learning the hard way last time MtGox was hacked, I made a seperate e-mail account for use on bitcoin related sites I don't really trust.
Now that e-mail has been hacked, and I have just recovered my access to it.
The hacker, according to gmail, was:
Browser Lithuania (78.58.51.114) Jul 25 (16 hours ago)
Only thing he could have compromised using this e-mail is my account with bitbetter, the other accounts I had made using this e-mail were worthless stuff.
Just though I would let you guys know that people are actively trying to access e-mail adresses used for bitcoin related stuff!
|
|
|
|
klaus
Legendary
Offline
Activity: 1946
Merit: 1004
|
|
July 26, 2011, 02:55:57 PM |
|
since it is available a have a yubikey from mtgox. 4 days after free order i had it in my hands in germany. after the first login via yubikey i can not login without in my account. i feel very save now.
|
bitmessage:BM-2D9c1oAbkVo96zDhTZ2jV6RXzQ9VG3A6f1 threema:HXUAMT96
|
|
|
BusmasterDMA
Member
Offline
Activity: 118
Merit: 10
|
|
July 26, 2011, 03:46:06 PM |
|
Now that e-mail has been hacked, and I have just recovered my access to it.
The hacker, according to gmail, was:
Browser Lithuania (78.58.51.114) Jul 25 (16 hours ago)
Just curious how would you guess they gained access to your gmail account? Trojan keylogger on a system you've used? Lucky guess of the password? Knowing answers to account recovery questions?
|
Bears. Beets. Battlestar Galactica. Bitcoin.
|
|
|
Mousepotato
|
|
July 26, 2011, 06:46:02 PM |
|
Turn on 2-step verification. So even if you have a keylogger on your system, it wouldn't matter. But then again your Email account would probably be the last of your worries if you had a logger.
|
Mousepotato
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1260
May Bitcoin be touched by his Noodly Appendage
|
|
July 26, 2011, 06:47:47 PM |
|
Now that e-mail has been hacked, and I have just recovered my access to it.
The hacker, according to gmail, was:
Browser Lithuania (78.58.51.114) Jul 25 (16 hours ago)
Just curious how would you guess they gained access to your gmail account? Trojan keylogger on a system you've used? Lucky guess of the password? Knowing answers to account recovery questions? Bruteforce on the leaked Mtgox accounts file
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
July 26, 2011, 06:48:22 PM |
|
This usually means a site you signed up with has been hacked and the password database dumped. A list of sites that you used it to register with would be helpful.
|
|
|
|
Mousepotato
|
|
July 26, 2011, 06:48:30 PM |
|
since it is available a have a yubikey from mtgox. 4 days after free order i had it in my hands in germany. after the first login via yubikey i can not login without in my account. i feel very save now.
How'd you get your Yubikey for free? They're asking $29.99 for them now
|
Mousepotato
|
|
|
klaus
Legendary
Offline
Activity: 1946
Merit: 1004
|
|
July 26, 2011, 06:57:33 PM |
|
since it is available a have a yubikey from mtgox. 4 days after free order i had it in my hands in germany. after the first login via yubikey i can not login without in my account. i feel very save now.
How'd you get your Yubikey for free? They're asking $29.99 for them now I was one with rolling back trades after the flash-crash.
|
bitmessage:BM-2D9c1oAbkVo96zDhTZ2jV6RXzQ9VG3A6f1 threema:HXUAMT96
|
|
|
Dansker (OP)
|
|
July 26, 2011, 09:28:21 PM |
|
My guess is that a site I have signed up with has either been compromised (I used this email to sign up for loads of "free bitcoins"-offers) og was built with the intent of gather e-mails/passes.
I may even have re-used the pw, so it could be that these sites are set up to harvest email/pw of bitcoin users. It must either be that, or that my very simple pw was guessed somehow.
Just goes to show that you can never be too careful, and I sure am glad this was a gmail I made with the intent purpose of signing up for shit offers.
|
|
|
|
defxor
|
|
July 26, 2011, 09:37:37 PM |
|
I may even have re-used the pw or that my very simple pw was guessed somehow http://lastpass.comSeriously - once you start you'll never understand why it took you so long. One new completely random password for each site. Always. (And just to pre-empt some common responses from those who don't verify what the site is about - no - your passwords are never transmitted to nor stored with LastPass)
|
|
|
|
cepler
Newbie
Offline
Activity: 46
Merit: 0
|
|
July 26, 2011, 09:38:21 PM |
|
This is an example of a password I might use:
$=7rq2]6oLQa^K}3ni4U<4Ylpp8?0p|1@n7Nld[g
Randomize your passwords and make them long. Use a password manager and keep the password database on a flash drive. True, if they get the database or log your passwords you're screwed but you're pretty much screwed at that point anyhow and this will cover the most obvious attacks, bruteforcing the encrypted password database.
I cringe when I see some of the passwords people use and how often they use them on other sites! BAD BAD BAD! NEVER EVER EVER EVER >>EVER<< use a password on two sites, and your E-Mail password should be the ultimate utmost strong password and protected like a 500 lb block of platinum. Think about it, when you forget a password what do most sites do? E-Mail it back to you or send you a link to change it. If someone gets that E-Mail password they can have a field day getting into your other accounts.
|
|
|
|
cepler
Newbie
Offline
Activity: 46
Merit: 0
|
|
July 26, 2011, 09:41:54 PM |
|
I may even have re-used the pw or that my very simple pw was guessed somehow http://lastpass.comSeriously - once you start you'll never understand why it took you so long. One new completely random password for each site. Always. (And just to pre-empt some common responses from those who don't verify what the site is about - no - your passwords are never transmitted to nor stored with LastPass) And if you don't trust the way that Lastpass works: http://www.keepass.info/and http://agilebits.com/products/1PasswordAre two of my favorite password database apps. 1Password is nice because it's very cross-platform between Mac, PC and iPhone etc...
|
|
|
|
Dansker (OP)
|
|
July 26, 2011, 09:50:11 PM |
|
All good advice in this thread!
I have different e-mails with different passwords.
I deliberately didn't make a difficult pw for this account, and wasn't careful about where I used it, since I only intended to use it for sites sending me money, not me sending anything.
I must admit, I am surprised someone actually took the time to gain access to this e-mail address, and change my pw (I recovered it via alt. e-mail) - and that is the most important fact I would like to share with you: People out there are actively trying all they can to steal bitcoins, and you need to not trust any random bitcoin sites/people.
|
|
|
|
joulesbeef
Sr. Member
Offline
Activity: 476
Merit: 250
moOo
|
|
July 26, 2011, 10:55:10 PM |
|
I love lastpass for it;s ease of use.. it will come up with pseudo random passwords that are very strong, and then enter them for you when you need them, and you can long into lastpass from anywhere and get your passes...however... they once had an odd security issue and I dont think it actually ended up being anyones passes being stolen but they emailed everyone and asked them to change their masterpass and highlights the problem of leaving your pass in on a corp system you dont control, especially when it might be a big target of hacks for the trove of passes it contains. SO far they have been good though... i belive, I havent looked more into that incident but I didnt see a lot of noise about it either. keypass is a solution around the idea of letting a company have control of your passwords like lastpass. With keypass you keep your encrypted password file. It lacks some ease of use of lastpass but if you use keypass and put it on a usbkey or better a dropbox, you can have similar functionality as lastpass in that you can access your passes from anywhere.
|
mooo for rent
|
|
|
|