■■■My 2013 legendary account was hacked :( help me to find how and to recover it

[Realerre]

I don't know how, my account was hacked  

I already blocked the account and sent to Cyrus a signed message, I hope it will be resolved soon.

The account should be locked now and I hope the hacker will do no harm, I opened this thread mainly to try to understand how I was hacked. Also, I am pretty sure I posted 2 addresses in the stake thread, but I am not able to find them. Any google master that can help me?

Here the signed message:

----BEGIN BITCOIN SIGNED MESSAGE-----
Hi,
Someone just hacked my original account (link https://bitcointalk.org/index.php?action=profile;u=154985 )
Please help me
Realerre
-----BEGIN BITCOIN SIGNATURE-----
Version: Bitcoin-qt (1.0)
Address: 1errednJJpXhbjgqby9xj8HSjwBci6d19

HJLmrt/iZeKEyuxNZtc6w6lnzhJYj2aqlJg5hRwv7k6DUl9UzdHxH1/BOMGuNT/7Cf5t7lz2JwDsO3CoRBeMnlw=
-----END BITCOIN SIGNATURE-----

Same message, signature form 13wZt74rDowJznv1TACrZVHiPywKAynYCe:

HEucCjcploRKHI3V3t0EF0TxOk90LB36gL3WJrN/5mujDMnMJanWiF3l123Ax5RVGf3Aa2/Syb0aDM2rORj1Ui0=

From 1SoGC63df4ueo1Zum21c9DwUuft5mkyyi:

HKqudeNrfYNnxeUWMyEBrFORgd7l6+gI93BvwW7P6XH1G6Nr+BU3XgHxqjEnuyiCxRE+M8Zys3Qae3+48RGxoTA=

[1713409792]

1713409792

[1713409792]

1713409792

[bitserve]

Here you are: https://bitcointalk.org/index.php?topic=996318.msg20945919#msg20945919

[Realerre]

Thank you very much, I will send you some merit when able

[bitserve]

Thank you very much, I will send you some merit when able

np, good luck on prompt recovery of your account!

[hilariousandco]

Here the signed message:

----BEGIN BITCOIN SIGNED MESSAGE-----
Hi,
Someone just hacked my original account (link https://bitcointalk.org/index.php?action=profile;u=154985 )
Please help me
Realerre
-----BEGIN BITCOIN SIGNATURE-----
Version: Bitcoin-qt (1.0)
Address: 1errednJJpXhbjgqby9xj8HSjwBci6d19

HJLmrt/iZeKEyuxNZtc6w6lnzhJYj2aqlJg5hRwv7k6DUl9UzdHxH1/BOMGuNT/7Cf5t7lz2JwDsO3CoRBeMnlw=
-----END BITCOIN SIGNATURE-----

Same message, signature form 13wZt74rDowJznv1TACrZVHiPywKAynYCe:

HEucCjcploRKHI3V3t0EF0TxOk90LB36gL3WJrN/5mujDMnMJanWiF3l123Ax5RVGf3Aa2/Syb0aDM2rORj1Ui0=

From 1SoGC63df4ueo1Zum21c9DwUuft5mkyyi:

HKqudeNrfYNnxeUWMyEBrFORgd7l6+gI93BvwW7P6XH1G6Nr+BU3XgHxqjEnuyiCxRE+M8Zys3Qae3+48RGxoTA=

They all verify.

The older the address the better:

10 erre KozmUeGrvc3Yfxs2X5F6gpGqCSRUzxHfG invalida

??

1SoGC63df4ueo1Zum21c9DwUuft5mkyyi

ps: dvdman es un genio

[Realerre]

Yes the above addresses are spammed along all the forum, from 2013

[Realerre]

I noticed that cyrus account posted the last time 1 month ago, he seems to go online daily and to be online now, but  looking at his post history makes me think he is not very active in this period.

I don't want to bother abusing PMs, so I will bump this thread daily hoping that it will help to get noticed by some admin.

Besides that, any idea about how I was hacked?

The day before the hack I noticed I logged out and so logged in using Google automatic compile. My password is unique for this site, it was 2 words and 3 numbers, 15+ characters long. No virus or keylogger installed as far as I know, and I was hacked only on bitcointalk.

[hilariousandco]

When did you last change your password here? If you didn't chnage it after the forum hack on May 22 2015 then it was likely cracked. Did you download any alt coin wallets or accidentally log into any phishing sites?

[Realerre]

When did you last change your password here? If you didn't chnage it after the forum hack on May 22 2015 then it was likely cracked. Did you download any alt coin wallets or accidentally log into any phishing sites?

I changed my password adding "123" at the end. I know, shame on me, but they were salted and all....

Usually I use only my android phone to login, but as I said it was necessary to re-log the day before the hack

...Also, It could be I logged in using my Windows laptop. That seems unable to update to the last version of Windows, I stopped updates from services.msc because it was looping downloading and installing "the last version of windows".

I use this pc only to mine deeponions so I didn't bother so much, an avira scan find no viruses and I still have my considerable amount of onions (but I never uncrypted my wallet since days).

Deleting this pc would be really painful to me, but I'm seriously considering to do it before digiting the wallet password again.

[Realerre]

I checked the laptop, seems that I never logged in in bitcointalk since months ago, and I also ran hjiackthis, so I suppose it is safe.

And they did not hacked my android device, because other sites remain untouched. I am pretty sure I did not login to any phishing site, and I use goggle chrome autocompile for passwords.

So how did they hacked me

[Realerre]

After double-checking all i was albe to, i unlocked the wallet and made a tx.

All went smooth, thanks god

So...seems like they hacked me....maybe I remember wrong and I didn't change the password after the 2015 hack, can someone check this for me?

Regarding account recovery, two weeks are pretty a long time to wait to send a pm to theymos, but I think that spam won't help me, and I already sent 3 message to Cyrus due to wrong format too... what else I can do, besides waiting 2 weeks and upping this thread?

[Thirdspace]

The day before the hack I noticed I logged out and so logged in using Google automatic compile.

I am pretty sure I did not login to any phishing site, and I use goggle chrome autocompile for passwords.

you mean Google Autofill/Autocomplete password?
did you re-log intentionally (open login page from bookmark) or were you re-directed to login page?
if the latter happened, you could be logging into a phishing site happened to me a few weeks ago
but luckily I noticed the wrong url, so I just closed the page and reopened the forum from my bookmark
can you remember the time you logging in and check your browser history to make sure you were on the real login page at that time
just in case there is a way to trick autocomplete to work with fake login page

May 08, 2018, 10:06:56 AM - erre - password reset via email

This user's password was reset recently.
This user's email address was changed recently.

[Realerre]

The day before the hack I noticed I logged out and so logged in using Google automatic compile.

I am pretty sure I did not login to any phishing site, and I use goggle chrome autocompile for passwords.

you mean Google Autofill/Autocomplete password?
did you re-log intentionally (open login page from bookmark) or were you re-directed to login page?
if the latter happened, you could be logging into a phishing site happened to me a few weeks ago
but luckily I noticed the wrong url, so I just closed the page and reopened the forum from my bookmark
can you remember the time you logging in and check your browser history to make sure you were on the real login page at that time
just in case there is a way to trick autocomplete to work with fake login page

May 08, 2018, 10:06:56 AM - erre - password reset via email

This user's password was reset recently.
This user's email address was changed recently.

Think You for the hint, i reviewed my chronology but I can't find anything suspicious... also, Google autofill shouldn't work on a phishing site....or not?
I think I login from the login button...because it seemed like I was logged out. I think I was not redirected, but I am not 100% sure

[Welsh]

Think You for the hint, i reviewed my chronology but I can't find anything suspicious... also, Google autofill shouldn't work on a phishing site....or not?
I think I login from the login button...because it seemed like I was logged out. I think I was not redirected, but I am not 100% sure

If it autofills your password and username then yes. It's just like you typing it in. The way phishing sites work is that they make their site look identical to their target site and only have a different url and database. When you log in they'll see what you've tried to log in with, and will then try and use it on the actual site. I didn't even know autofill was a thing on modern browsers, but I would recommend taking that off right away.

[Realerre]

Think You for the hint, i reviewed my chronology but I can't find anything suspicious... also, Google autofill shouldn't work on a phishing site....or not?
I think I login from the login button...because it seemed like I was logged out. I think I was not redirected, but I am not 100% sure

If it autofills your password and username then yes. It's just like you typing it in. The way phishing sites work is that they make their site look identical to their target site and only have a different url and database. When you log in they'll see what you've tried to log in with, and will then try and use it on the actual site. I didn't even know autofill was a thing on modern browsers, but I would recommend taking that off right away.

When I went to a known site and I saved the password, both username and password would be autocopiled and in yellow background. I think this function will only work for known urls, I am pretty sure I used it, and I can't find any phishing link in my chronology (but searching is difficult because of mobile, I could have missed it).

Still, I'm wondering if I changed the password after the 2015 hack. I think I did so but I'm not 100% sure...

[Realerre]

Many days passed, still I didn't manage to understand how I was hacked, still no response from Cyrus.

Bump

[coinlocket$]

Some rules to avoid the hack

-Download untrusted wallets in a virtual machine
-Use a virgin email to the forum account
-Save the website on bookmarks
-Always check

[Realerre]

Some rules to avoid the hack

-Download untrusted wallets in a virtual machine
-Use a virgin email to the forum account
-Save the website on bookmarks
-Always check

On the Admin side, they could require email verification for password change.
That would be great

[Realerre]

Really, i don't know why email confirmation is not required to a password change, considering how much this forum is prone to hack attacks.

Still no answers from Cyrus, UP!

[Soros Shorts]

Think You for the hint, i reviewed my chronology but I can't find anything suspicious... also, Google autofill shouldn't work on a phishing site....or not?
I think I login from the login button...because it seemed like I was logged out. I think I was not redirected, but I am not 100% sure

If it autofills your password and username then yes. It's just like you typing it in. The way phishing sites work is that they make their site look identical to their target site and only have a different url and database. When you log in they'll see what you've tried to log in with, and will then try and use it on the actual site. I didn't even know autofill was a thing on modern browsers, but I would recommend taking that off right away.

I always thought that autofills key the passwords to hostname or domain name contained in the canonical URL. They are not tricked by phishing sites where the domain name is mistyped or simply looks the same visually to the real site.