www.BITSTAMP.net Bitcoin exchange site for USD/BTC

[Drawie]

And 2FA.

I suggest you sanitize your system and when you're sure, you're clean, change every credentials you have. Mind to share some intel? IP, withdrawal address etc.? I can't do anything specific, but I'd say it's good anyway, to have that data available..

Hope your loss wasn't that big. :/

Edit: is your API access enabled? (Account - Settings - at the bottom)

Hi,

The coins were withdrawn to address 18RUHecChoueC4tspKyxyHtesGZ5DznQhd and sent forth from there.

The hacker first logged in from IP 71.19.243.196 and then 12 minutes later from 209.21.67.218 and did the cleaning in 4 minutes. The IPs are most likely proxy'd as they appear to be quite far away from each other.

What makes this every weirder is that there's no sign of password changes in my account history although I had to retrieve my password via email as it didn't let me log in with my old password. My API access is not enabled.

[Hawkix]

Most likely the attacker had (HAS?) access to your e-mail account associated with BitStamp. He then performed password reset and obtained new password from your compromised e-mail account. Change your e-mail password immediately to something more strong.

[bernard75]

That would in fact be the easiest way to "hack" the accounts.

[klabaki]

If you modify the API anyway, could you also have a look at this?

@hazek, bitstamp team

Many thanks to you!!

I can see here, that you're not only having a look at it, but that you've already done it

[Drawie]

Most likely the attacker had (HAS?) access to your e-mail account associated with BitStamp. He then performed password reset and obtained new password from your compromised e-mail account. Change your e-mail password immediately to something more strong.

Thank you for the answer. It really seems like this is the case. Im currently trying to get my email account activity from microsoft on the day of the breach to find out if this really happened. Although my Bitstamp pw was rather strong, my email pw really sucked.

[dego]

Hi there,

just trying to reach the Bitstamp guys through this forum.

The passwort reset dialog doesn't function at the moment. I always get an error message, after entering the email adress:

[hazek]

This error should be fixed now. Can you please try again and report back to us via support@bitstamp.net if the problem persists. Thank you.

[kakobrekla]

This error should be fixed now. Can you please try again and report back to us via support@bitstamp.net if the problem persists. Thank you.

How about fixing the scammy trading engine?

[hazek]

Dear Bitstamp users,

Tuesday, June 25th is a state holiday in Slovenia. Bank deposits and withdrawals will be processed on Wednesday 26th.

Thank you for using our service!

[bitcoinmarketmaker]

Dear Bitstamp users,

Tuesday, June 25th is a state holiday in Slovenia. Bank deposits and withdrawals will be processed on Wednesday 26th.

Thank you for using our service!

Thanks for letting us know in advance. I was not aware of this.

[ag@th0s]

Just a heads up that http://www.tranzfers.com are no longer prepared to transfer money to Bitstamp.  I arranged a transfer yesterday which they'd received the funds for and marked as "paid to beneficiary" on their website , but they've just phoned me up to confirm that they won't be completing the transaction. One of their banking partners is Citibank so I guess it relates to that.  So, Transferwise first and now Transferz - any suggestions for the best way for a UK resident to move money to Bitstamp?

[bernard75]

SEPA
Although the Brits and the Europeans(Tempora ) want the UK out of the EU, they are still bound by banking regulations.
If your bank tells you otherwise fucking sue them.

[thelandscape]

I withdrew 5.27 BTC more than two days ago. The transaction is shown as "finished" but nothing has arrived. It´s also not on blockchain. The coins just disapeared.

Anyone else had this problem? I contacted support but they didn´t reply me for more than 24 hours now. Rate is still falling and i want my coins. Really annoying.

[Bagpipe]

The recent hacks were database-oriented, so I assume the attackers have an extensive knowledge of MySQL and similar...

But I am here to warn you, Bitstamp, to repair this horrible security faux pass -- you use for API access the same name and password as for the main login on the site. This is unacceptable, because if anyone gains an API login, he/she can then raid the account. The point of API access is to allow automated and/or remote trading, not doing account transfers! Look at btc-e for a better implementation.

Simply, API access needs to be a separate access name/password than that of the main account.

You could also allow the users to make separate API entry accounts and assign funds to these sub-accounts from your main account, so that you could, for example have 1000 USD in the main account and diverge 400$ into API_1 and 400$ into API_2. This way, each of the separate accesses can be managed individually. But even if you don't apply this improvement, changing the API access conditions and maybe including and external RSA key hardware for trade confirmations, and for main account access would be of great help! (For confirmation of bank and bitcoin transfers out of an account a simple "Trezor" external key dongle could be used, this is to cost 1BTC only, and an alternative is in development by another 'lab'.

Anyway, even if you used printed gridcards, like many banks do (postage is cheap these days, still), you would enhance account security by 1000x, because a physical piece of plastic with numbers on it, is way more secure than any data you transfer over the internet via third parties.

[kakobrekla]

The recent hacks were database-oriented, so I assume the attackers have an extensive knowledge of MySQL and similar...

But I am here to warn you, Bitstamp, to repair this horrible security faux pass -- you use for API access the same name and password as for the main login on the site. This is unacceptable, because if anyone gains an API login, he/she can then raid the account. The point of API access is to allow automated and/or remote trading, not doing account transfers! Look at btc-e for a better implementation.

Simply, API access needs to be a separate access name/password than that of the main account.

You could also allow the users to make separate API entry accounts and assign funds to these sub-accounts from your main account, so that you could, for example have 1000 USD in the main account and diverge 400$ into API_1 and 400$ into API_2. This way, each of the separate accesses can be managed individually. But even if you don't apply this improvement, changing the API access conditions and maybe including and external RSA key hardware for trade confirmations, and for main account access would be of great help! (For confirmation of bank and bitcoin transfers out of an account a simple "Trezor" external key dongle could be used, this is to cost 1BTC only, and an alternative is in development by another 'lab'.

Anyway, even if you used printed gridcards, like many banks do (postage is cheap these days, still), you would enhance account security by 1000x, because a physical piece of plastic with numbers on it, is way more secure than any data you transfer over the internet via third parties.

Don't bother. CSS is way more important than any of the serious issues, like scamming trading engine.

[RoadTrain]

The recent hacks were database-oriented, so I assume the attackers have an extensive knowledge of MySQL and similar...

But I am here to warn you, Bitstamp, to repair this horrible security faux pass -- you use for API access the same name and password as for the main login on the site. This is unacceptable, because if anyone gains an API login, he/she can then raid the account. The point of API access is to allow automated and/or remote trading, not doing account transfers! Look at btc-e for a better implementation.

Simply, API access needs to be a separate access name/password than that of the main account.

You could also allow the users to make separate API entry accounts and assign funds to these sub-accounts from your main account, so that you could, for example have 1000 USD in the main account and diverge 400$ into API_1 and 400$ into API_2. This way, each of the separate accesses can be managed individually. But even if you don't apply this improvement, changing the API access conditions and maybe including and external RSA key hardware for trade confirmations, and for main account access would be of great help! (For confirmation of bank and bitcoin transfers out of an account a simple "Trezor" external key dongle could be used, this is to cost 1BTC only, and an alternative is in development by another 'lab'.

Anyway, even if you used printed gridcards, like many banks do (postage is cheap these days, still), you would enhance account security by 1000x, because a physical piece of plastic with numbers on it, is way more secure than any data you transfer over the internet via third parties.

Don't bother. CSS is way more important than any of the serious issues, like scamming trading engine.

How does the current engine scam you?

[kakobrekla]

How does the current engine scam you?

In about 5 different ways.

[bernard75]

LOL, u guys must have some serious beef.

[RoadTrain]

How does the current engine scam you?

In about 5 different ways.

Huh, didn't know about it.
If I were to write a trading engine I'd certainly use fixed-point arithmetic and at least five decimal places to make it as precise and transparent as possible.

[lucif]

Fuck yeah, money math precision is an ass pain of all financial amateurs running bitcoin services. Looks like only gox using int64 for internal money calculations. All others use some shitty rounding or floating point math.

Of course, this is pennies and I don't care. But small or daily traders should.