Coinedup OpenID bug! - coins stolen

[bsd]

Warning!!! Don't login with Yahoo OpenID to coinedup.com

My reddit post that has gotten ZERO response in 16 hours (no e-mail back either):
 http://www.reddit.com/r/CoinedUp/comments/1sx42y/warning_your_yahoo_openid_allows_2_different/

I used an old burner Yahoo e-mail address with a stupid-long password to login to coinedup and it had a rocketmail.com (Yahoo owned) e-mail saved as the owner with previous transactions.

I didn't realize it and I got robbed of ~.5btc pretty quick I was trying to buy dogecoins of course.

How to replicate the problem: Go to: http://openid.yahoo.com/ and click "Get Started" and then login to your Yahoo.com e-mail address.
On the next screen you'll see: Your OpenID identifiers: followed by a long https://me.yahoo.com/a/whatever address
Use that https://me.yahoo.com/a/whatever URL to login to CoinedUp and surprise - a rocketmail.com account has previous transactions and can rob your account.

Fucking sucks. Fix your shit. I'm sure I'm not the only one.

This is the only btc address I used for coinedup: 1KD8mERwt1rBZz9TzvV3EyHA4MrBXmRNvY

so w**@rocketmail.com who stole a little under .5btc please give it back thief.

**UPDATE: The guy who I thought stole my coins e-mailed me and said had the same problem and someone else emptied the account. I'll post updates.
**UPDATE: CoinedUp refunded me my btc!! Goodguys CoinedUp

[peterlustig]

Not sure I understand, isn't Yahoo at fault?

[bsd]

Possibly. I still want to warn people though until this is resolved.

[peterlustig]

Thanks for the warning of course!

[tokyoghetto]

CoinedUp is down now some ones crazy 11 BTC sell wall just crashed it. such shit. so crap. dogeshit wow.

[cryptohunter]

this sounds terrible, who's fault is this yahoo or the exchange?

How about google id same issue?

[bsd]

We don't know yet whose fault it is.

It's probably only a bug with Yahoo OpenID but I really don't know.

I guess for now check your transaction history and e-mail stored at coinedup every time you login until this is resolved.

[acejudas]

wow. much scary. hopes this gets resolved asap. have moved my doges elsewhere until then unfortunately.

[bsd]

They replied to my e-mail and I replied back with my logs so I'm waiting on their next response.

Their first reply:

Hello,

Thank you for contacting us.

Our preliminary investigation shows that there is one, and only one, OpenID attached to your account.

We will investigate further to provide you with more information about a potential hack, but there is certainly no sharing of 'rocketmail' and 'yahoo' OpedID keys.

Is there any more information you can add that will help us investigate?

Regards,
Team CoinedUp Support

[sixteendigits]

You sent .5 BTC there to buy dogecoin.  You were losing that .5 BTC either way.

[eon89]

So how did this happen? A rocketmail account with same name stole your btc?

[bsd]

First of all I would have made money then buying doges and flipping them.

I logged in for the first time and didn't look at the past transactions. There were a bunch from the past 2 days.
After my btc was gone like that South Park bank episode, I looked in the account settings and saw a different e-mail (name) that happened to be rocketmail.
Then I clicked everything and saw the past transactions. Yea I know partially my fault so I'm not totally going nuts over this.
My password was stupid long and it was an older Yahoo account that I never really use. It doesn't make sense.

[bsd]

UPDATE from Reddit:

pete_coinedup 2 points 35 minutes ago*
Hello,
We did indeed respond you your email. We're going to shutdown any yahoo OpenID logins until we can investigate further. However, like we said in the email response, we are willing to help investigate. If there indeed a problem, then I'm sure can resolve it. Our main goal is customer satisfaction.


I'll keep everyone posted.

[theprofileth]

Mate I am really sorry this happened, what is scarier is that a third party had access to the coins which makes me think that this could be a much more widespread issue. I never did like openid, never made much sense to me, I mean I have had my emails get hacked more often than I have had anything else get hacked, which is why I use more secure passwords now. I really wish I had written down the email of the previous guy who had his email put as the account's email address, that might have helped the situation however I didn't want to be creepy and write down some random guy's email when for all I knew I was logging into his account and not my own.

[bsd]

Update

CoinedUp is still looking into into the problem and are keeping Yahoo OpenID disabled for now.

They refunded me my btc!! Goodguys CoinedUp

[albertdros]

Update

CoinedUp is still looking into into the problem and are keeping Yahoo OpenID disabled for now.

They refunded me my btc!! Goodguys CoinedUp

wow thats amazing! Good for you. Coinedup is always down, but its completely free and they even refund you your BTC. Again, much respect.