CEX.IO "hacked"........?

[Kenshin]

Good job I left them yesterday. 

[1715481991]

1715481991

[1715481991]

1715481991

[1715481991]

1715481991

[1715481991]

1715481991

[empoweoqwj]

"Jeffrey Smith" who replies to all cex.io correspondance is aparently a TradeFortress clone: http://mentaso.com/bitcoin-news/cex-part-2-the-hacked-account-and-children-playing-grownups.html

This sort of thing is becoming far too commonplace. While I like the premise of cex.io, I wish there was a more stable and secure platform like it and not the constant dodgy behavior Mr. Smith seems to exhibit.

Now you have me really worried!

With all I've heard, multiple account "hacks" etc. at cex.io, I wouldn't put a single bitcoin in a wallet with them. I don't trust any wallet service with domain ending in .io, scared of who the real owner might be

[Maidak]

Was just logged in to cex.io chat and got 2 javascript alerts minutes apart with simply the text "1".

I logged back in a few minutes later to investigate, and discovered this in the "russian" tab of their chat window:

Code:

z66 : 20:25
“><img src="#" onerror="alert(1)"
Ramirez : 20:26
><img src="#" onerror="alert(1)"
Ramirez : 20:26
doesnt work
kickbit : 20:27
xe2x80x9c><img src="#" onerror="alert(1)"
Ramirez : 20:28
-->
Ramirez : 20:29
->

They have been alerted via twitter by others that noticed the problem too:
https://twitter.com/chrisfarms/status/423913046512128001
https://twitter.com/vvedma/status/423920180750610432

As a professional web developer, this is deeply concerning.

I am not sure that this is necessarily related to people having their accounts cleaned out, but it is certainly something to consider regardless as a "possibility".  Anyone who has studied computer information security knows how serious the potential for an XSS attack is, and it certainly should not be taken lightly.

You are free to draw your own conclusions, but personally I withdrew all my BTC from there a while ago.

I'm going to clear some things up regarding this. I do work for support with cex.io and have been for months I was on shift during the execution of this XSS vulnerability immediately called our technical department and had the hole patched within under a minute. No user data was compromised during this failed attack. The reason for this is because what he tried to download was blocked by our censor in the trollbox.

Now the reality on why the users are getting compromised over 99% of them are because of our users are not securing their emails with 2factor authentication nor securing their cex.io accounts. I've seen countless tickets where people have downloaded trading bots and lost all of there BTC and GHS, going to a site like c-cex.com and submitting their information. It all starts with the users email account being compromised. 10 out of 10 times every user who has been hacked has not had their 2 factor authentication enabled which would have prevented the withdraw from ever happening.

Also be aware its not very hard to stick a remote administration tool and keylogger on any PC if you are not properly protecting your PC and downloading a trading bot which could very well work it just comes with an added feature. I have suggested to numerous people if you plan on keeping financial assets online do it on a freshly imaged PC use strong password and always use the added security precautions that the site does provide. We are also looking into adding yubikeys as well which was my personal suggestion to the company since I love the security a yubikey offers over 2FA.

"Jeffrey Smith" who replies to all cex.io correspondance is aparently a TradeFortress clone: http://mentaso.com/bitcoin-news/cex-part-2-the-hacked-account-and-children-playing-grownups.html

This sort of thing is becoming far too commonplace. While I like the premise of cex.io, I wish there was a more stable and secure platform like it and not the constant dodgy behavior Mr. Smith seems to exhibit.

Now you have me really worried!

With all I've heard, multiple account "hacks" etc. at cex.io, I wouldn't put a single bitcoin in a wallet with them. I don't trust any wallet service with domain ending in .io, scared of who the real owner might be

This is a registered company check the SSL and the contact us page https://cex.io/support and search the company number. Just because tradefortress used an .io domain does not mean that its a domain owned by tradefortress..

[maverick528]

Two days ago I could not access my CEX.IO account anymore.

Says username or password wrong, but when I tried to reset the password (even knowing I am entering it right), it replies that the username or email address are wrong. I use always same email adress and username, never requested to change the email address.

Contacted CEX support.

First reply goes like "you are retarded, please remember usernames are case sensitive" and then THEY write the wrong way my username, (it is all lowercase) with a capital first letter. And they ask the email I used to register (it is the one I am using to write the emails to them!!)

Second reply (24 hs later) they "inform" me what MY username and email is (I already knew that, kids!). They ask me if I changed my email address and to check all the mails from CEX.IO.  No, no email change address by me, and no email from CEX telling about any change.

Third reply (24 hs more). I must now send a photograph of myself holding a government-issued ID (can I hang the ID somewhere instead of holding it? )
The verification process is going to take two weeks. Meanwhile I can not get the funds I OWN, I can not trade, etc.
I must take a loss because they can not fix their security holes.

CEX.IO sucks.

Unfortunately a pair of days ago I bought another voucher for more GHashes on CEX. And it is not on paper so it can not be used for cleaning purposes. 

[maverick528]

By the way, I do not use any trading bot.
And my password was never typed, so that keyloggers can not harm me.
And I can not use 2FA because my cellphone is a Motorola C115 

[empoweoqwj]

Two days ago I could not access my CEX.IO account anymore.

Says username or password wrong, but when I tried to reset the password (even knowing I am entering it right), it replies that the username or email address are wrong. I use always same email adress and username, never requested to change the email address.

Contacted CEX support.

First reply goes like "you are retarded, please remember usernames are case sensitive" and then THEY write the wrong way my username, (it is all lowercase) with a capital first letter. And they ask the email I used to register (it is the one I am using to write the emails to them!!)

Second reply (24 hs later) they "inform" me what MY username and email is (I already knew that, kids!). They ask me if I changed my email address and to check all the mails from CEX.IO.  No, no email change address by me, and no email from CEX telling about any change.

Third reply (24 hs more). I must now send a photograph of myself holding a government-issued ID (can I hang the ID somewhere instead of holding it? )
The verification process is going to take two weeks. Meanwhile I can not get the funds I OWN, I can not trade, etc.
I must take a loss because they can not fix their security holes.

CEX.IO sucks.

Unfortunately a pair of days ago I bought another voucher for more GHashes on CEX. And it is not on paper so it can not be used for cleaning purposes. 

Don't you love it when companies remind you passwords are case-sensitive. Assuming we are morons who've never used the web before ....