HASHCO.WS WEBSITE HACKED ALL MONEY STOLEN

[rofus]

Do not mine there, and check your balances and settings, you'll find your btc address changed to another one.

They hacked almost all accounts bypassing PIN and password and stole BTC.

YOU'RE WARNED

[rofus]

If you change back the address it does not change, they website is FULLY COMPROMISED.

[kalus]

can't change btc, can't change doge address either.  it reverts back to the other address.

which is fine, becuase withdrawals are disabled.

oh hashcows.  

[kikeda]

yeah it doesnt change back frig!

[Nullu]

Oh dear. I did mine there for a few hours once when I was trying out multipools. Thankfully I didn't stay long.

[Bigeyeone]

My money was not stolen, but I will change my password anyway even though it is already extremely long.

If this happened to a whole buch of people the hackers probably got a mysql dump and are brute forcing or using wordlist combos to crack as many passwords as they can.

[kalus]

My money was not stolen, but I will change my password anyway even though it is already extremely long.

yeah i don't get it; i changed from 'password1' to 'password2' how did they get in? 

[Bigeyeone]

well I just tried to put in a 30 character long password and it said max 20 , and my old pass was 20 lol

So well, not so well protected

[kalus]

well I just tried to put in a 30 character long password and it said max 20 , and my old pass was 20 lol

So well, not so well protected

lol

"error password too long"  

the individual words make up a sentence, but i don't understand what it could mean.  

[Oldminer]

This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.

[Bigeyeone]

This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.

I dont store large amounts of coin anywhere online, I already get nervous when my coins are at an exchange just to exchange them ASAP and make a withdrawl, but maybe I am a bit paranoid.

[kalnas]

My money was not stolen, but I will change my password anyway even though it is already extremely long.

If this happened to a whole buch of people the hackers probably got a mysql dump and are brute forcing or using wordlist combos to crack as many passwords as they can.

so do they got passwords and logged into accounts, or somehow got access to db and changed addresses directly there ?

[Kluge]

Dunno why you guys are complaining about a 20 character limit. A nearby B&M regional financial institution (I don't dare say which) will only allow a password between 4 and 8 characters in length. Wish I were joking.

This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.

I don't think they really hold funds (in the traditional sense) outside unpaid funds from mining since the last payout cycle.

[kalus]

Dunno why you guys are complaining about a 20 character limit. A nearby B&M regional financial institution (I don't dare say which) will only allow a password between 4 and 8 characters in length. Wish I were joking.

that's the point.  there should be no character limit.  

and like oldminer said, 2-factor authentication helps.  

it felt like the hashcows admin were fighting just to keep the site up and running, and left a backdoor open so someone could steal $20,000.  

Hashcows should be making money:  money enough to hire help with securing their money, and user money.  there is already a problem with trust and scams when it comes to sites like this.  it took them so long to build up a brand, trust and goodwill, and all that effort was wasted. 

otoh, mtgox seems to be surviving, although they lost their primacy in the exhange game a long time ago. 

[KickAzzDude]

My wallet address was not changed, does this mean I was not affected?

[procrypto]

Cross posting from Reddit..

I was in the IRC channel #hashcows on freenode as this played out. Note that I don't speak for Hashcows, just a user/chatter reporting what I know.

Seems like what happened is that someone used an attack (possibly SQL injection) to change a bunch of user payout addresses to https://blockchain.info/address/13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH

As users subsequently hit their pre-set auto withdraw threshold, or logged in and blindly did a manual withdrawal for themselves, the coins were siphoned off to the thief's account.

This leads me to assume that no account details (usernames, passwords, PIN, entire database) were compromised.. it was a smart but simple attack, something of a smash and grab raid. They didn't need to deal with usernames, passwords and PINs (none of which would be stored in plain text anyway), this was much easier for them.

The first thing to do is check your balance. If it's not been affected you are ok now, as the payout system was disabled by admin as soon as this came to light, and will be until investigation is complete.

If you try to manually withdraw the website will report that the withdrawal has been initiated - but it hasn't.

For a period of time you may have been unable to change your payout address, as this was also locked by admin, however it's now been enabled again.

[sarmenhb]

i talked with them on irc and it looks like it was an sql injection attack. its not 100% yet.

For those of you who dont know what that means, it means that no matter how strong your password or pin was they had actual access to the database to retrieve/update the data bypassing the website.

[merred]

thank you 4chan

[kalus]

you're welcome anon

[STT]

So they managed to steal 26k so far?