How long it takes that we can get our precious bitcoins out again. I really need them before monday.
UPDATE: Cause found, payouts will continue sunday-evening at the latest.
To all our users, thanks for your continued patience while we were getting to the bottom of this.
Earlier today we verified the exact details of how the theft took place, which was through session spoofing. Multiple accounts were compromised, resulting in unwanted payouts the bulk of which occurred between october 29 and november 3. We have deployed measures that prevent this type of session spoofing on ABCPool in the future.
What was potentially compromised:
* The attacker did not need your passwords for the intrusion
* No passwords have been leaked directly, since passwords are only stored as a hash.
* Weak passwords MAY have been guessed by brute-force abuse of the 'change password' function.
* The attacker COULD log in to any account through the ABCPool site and act as though they were that user
* PIN has been guessed (or brute-forced) in at least several cases
Steps we have taken to mitigate the issue thus far:
* We have fixed the session handling code
* We have reset the payment address for all our users, because it might have been set by the attacker to his own address.
* We have expired all current sessions
* We have introduced additional logging code
Steps still to be taken:
* Introduce additional security measures
* Re-activate payouts (this will happen sunday evening at the latest)
* Come to an agreement with you guys on how to handle the missing BTC.
What will change for you:
* For now, you'll need to (re)enter you payment address. You may take a look at past payouts and copy the address from there, but be sure to verify that it is actually
your own address.
* It's always a good security practice to use difficult and unique passwords, and to change them regularly.
