Bitcoin Forum
December 09, 2016, 09:43:25 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 ... 82 »
  Print  
Author Topic: www.BITSTAMP.net Bitcoin exchange site for USD/BTC  (Read 206086 times)
Drawie
Newbie
*
Offline Offline

Activity: 7


View Profile
June 19, 2013, 08:41:29 PM
 #381

And 2FA.

I suggest you sanitize your system and when you're sure, you're clean, change every credentials you have. Mind to share some intel? IP, withdrawal address etc.? I can't do anything specific, but I'd say it's good anyway, to have that data available..

Hope your loss wasn't that big. :/

Edit: is your API access enabled? (Account - Settings - at the bottom)
Hi,

The coins were withdrawn to address 18RUHecChoueC4tspKyxyHtesGZ5DznQhd and sent forth from there.

The hacker first logged in from IP 71.19.243.196 and then 12 minutes later from 209.21.67.218 and did the cleaning in 4 minutes. The IPs are most likely proxy'd as they appear to be quite far away from each other.

What makes this every weirder is that there's no sign of password changes in my account history although I had to retrieve my password via email as it didn't let me log in with my old password. My API access is not enabled.
1481319805
Hero Member
*
Offline Offline

Posts: 1481319805

View Profile Personal Message (Offline)

Ignore
1481319805
Reply with quote  #2

1481319805
Report to moderator
1481319805
Hero Member
*
Offline Offline

Posts: 1481319805

View Profile Personal Message (Offline)

Ignore
1481319805
Reply with quote  #2

1481319805
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481319805
Hero Member
*
Offline Offline

Posts: 1481319805

View Profile Personal Message (Offline)

Ignore
1481319805
Reply with quote  #2

1481319805
Report to moderator
1481319805
Hero Member
*
Offline Offline

Posts: 1481319805

View Profile Personal Message (Offline)

Ignore
1481319805
Reply with quote  #2

1481319805
Report to moderator
1481319805
Hero Member
*
Offline Offline

Posts: 1481319805

View Profile Personal Message (Offline)

Ignore
1481319805
Reply with quote  #2

1481319805
Report to moderator
Hawkix
Hero Member
*****
Offline Offline

Activity: 517



View Profile WWW
June 20, 2013, 06:02:42 AM
 #382

Most likely the attacker had (HAS?) access to your e-mail account associated with BitStamp. He then performed password reset and obtained new password from your compromised e-mail account. Change your e-mail password immediately to something more strong.


Donations: 1Hawkix7GHym6SM98ii5vSHHShA3FUgpV6
http://btcportal.net/ - All about Bitcoin - coming soon!
bernard75
Legendary
*
Offline Offline

Activity: 1064



View Profile
June 20, 2013, 08:00:26 AM
 #383

That would in fact be the easiest way to "hack" the accounts.
klabaki
Full Member
***
Offline Offline

Activity: 224

Ƶ = µBTC


View Profile
June 20, 2013, 03:17:32 PM
 #384

If you modify the API anyway, could you also have a look at this?
@hazek, bitstamp team

Many thanks to you!!

I can see here, that you're not only having a look at it, but that you've already done it Kiss

Ƶ = µBTC

Wer den Satoshi nicht ehrt, der ist den Ƶibcoin nicht wert.
Drawie
Newbie
*
Offline Offline

Activity: 7


View Profile
June 20, 2013, 04:13:15 PM
 #385

Most likely the attacker had (HAS?) access to your e-mail account associated with BitStamp. He then performed password reset and obtained new password from your compromised e-mail account. Change your e-mail password immediately to something more strong.


Thank you for the answer. It really seems like this is the case. Im currently trying to get my email account activity from microsoft on the day of the breach to find out if this really happened. Although my Bitstamp pw was rather strong, my email pw really sucked. Roll Eyes
dego
Sr. Member
****
Offline Offline

Activity: 379



View Profile
June 21, 2013, 10:40:59 AM
 #386

Hi there,

just trying to reach the Bitstamp guys through this forum.

The passwort reset dialog doesn't function at the moment. I always get an error message, after entering the email adress:


Following the crypto revolution since 2011.
hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
June 21, 2013, 01:40:29 PM
 #387

This error should be fixed now. Can you please try again and report back to us via support@bitstamp.net if the problem persists. Thank you.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
kakobrekla
Hero Member
*****
Offline Offline

Activity: 714


Psi laju, karavani prolaze.


View Profile
June 21, 2013, 04:33:58 PM
 #388

This error should be fixed now. Can you please try again and report back to us via support@bitstamp.net if the problem persists. Thank you.

How about fixing the scammy trading engine?

hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
June 24, 2013, 07:35:36 AM
 #389

Dear Bitstamp users,

Tuesday, June 25th is a state holiday in Slovenia. Bank deposits and withdrawals will be processed on Wednesday 26th.

Thank you for using our service!

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
bitcoinmarketmaker
Member
**
Offline Offline

Activity: 89


put me on speeddial#1


View Profile WWW
June 24, 2013, 09:58:15 AM
 #390

Dear Bitstamp users,

Tuesday, June 25th is a state holiday in Slovenia. Bank deposits and withdrawals will be processed on Wednesday 26th.

Thank you for using our service!

Thanks for letting us know in advance. I was not aware of this.

Smiley

ag@th0s
Full Member
***
Offline Offline

Activity: 202



View Profile
June 28, 2013, 01:11:46 PM
 #391

Just a heads up that http://www.tranzfers.com are no longer prepared to transfer money to Bitstamp.  I arranged a transfer yesterday which they'd received the funds for and marked as "paid to beneficiary" on their website , but they've just phoned me up to confirm that they won't be completing the transaction. One of their banking partners is Citibank so I guess it relates to that.  So, Transferwise first and now Transferz - any suggestions for the best way for a UK resident to move money to Bitstamp?
bernard75
Legendary
*
Offline Offline

Activity: 1064



View Profile
June 29, 2013, 08:43:49 AM
 #392

SEPA Smiley
Although the Brits and the Europeans(Tempora Wink ) want the UK out of the EU, they are still bound by banking regulations.
If your bank tells you otherwise fucking sue them.
thelandscape
Newbie
*
Offline Offline

Activity: 6


View Profile
June 29, 2013, 09:39:31 PM
 #393

I withdrew 5.27 BTC more than two days ago. The transaction is shown as "finished" but nothing has arrived. It´s also not on blockchain. The coins just disapeared.

Anyone else had this problem? I contacted support but they didn´t reply me for more than 24 hours now. Rate is still falling and i want my coins. Really annoying.
Bagpipe
Full Member
***
Offline Offline

Activity: 148


View Profile
June 30, 2013, 05:39:31 PM
 #394

The recent hacks were database-oriented, so I assume the attackers have an extensive knowledge of MySQL and similar...

But I am here to warn you, Bitstamp, to repair this horrible security faux pass -- you use for API access the same name and password as for the main login on the site. This is unacceptable, because if anyone gains an API login, he/she can then raid the account. The point of API access is to allow automated and/or remote trading, not doing account transfers! Look at btc-e for a better implementation.

Simply, API access needs to be a separate access name/password than that of the main account.

You could also allow the users to make separate API entry accounts and assign funds to these sub-accounts from your main account, so that you could, for example have 1000 USD in the main account and diverge 400$ into API_1 and 400$ into API_2. This way, each of the separate accesses can be managed individually. But even if you don't apply this improvement, changing the API access conditions and maybe including and external RSA key hardware for trade confirmations, and for main account access would be of great help! (For confirmation of bank and bitcoin transfers out of an account a simple "Trezor" external key dongle could be used, this is to cost 1BTC only, and an alternative is in development by another 'lab'.

Anyway, even if you used printed gridcards, like many banks do (postage is cheap these days, still), you would enhance account security by 1000x, because a physical piece of plastic with numbers on it, is way more secure than any data you transfer over the internet via third parties.
kakobrekla
Hero Member
*****
Offline Offline

Activity: 714


Psi laju, karavani prolaze.


View Profile
June 30, 2013, 07:45:59 PM
 #395

The recent hacks were database-oriented, so I assume the attackers have an extensive knowledge of MySQL and similar...

But I am here to warn you, Bitstamp, to repair this horrible security faux pass -- you use for API access the same name and password as for the main login on the site. This is unacceptable, because if anyone gains an API login, he/she can then raid the account. The point of API access is to allow automated and/or remote trading, not doing account transfers! Look at btc-e for a better implementation.

Simply, API access needs to be a separate access name/password than that of the main account.

You could also allow the users to make separate API entry accounts and assign funds to these sub-accounts from your main account, so that you could, for example have 1000 USD in the main account and diverge 400$ into API_1 and 400$ into API_2. This way, each of the separate accesses can be managed individually. But even if you don't apply this improvement, changing the API access conditions and maybe including and external RSA key hardware for trade confirmations, and for main account access would be of great help! (For confirmation of bank and bitcoin transfers out of an account a simple "Trezor" external key dongle could be used, this is to cost 1BTC only, and an alternative is in development by another 'lab'.

Anyway, even if you used printed gridcards, like many banks do (postage is cheap these days, still), you would enhance account security by 1000x, because a physical piece of plastic with numbers on it, is way more secure than any data you transfer over the internet via third parties.

Don't bother. CSS is way more important than any of the serious issues, like scamming trading engine.

RoadTrain
Legendary
*
Offline Offline

Activity: 1148

The most centralized thing in Bitcoin is expertise


View Profile
June 30, 2013, 08:39:09 PM
 #396

The recent hacks were database-oriented, so I assume the attackers have an extensive knowledge of MySQL and similar...

But I am here to warn you, Bitstamp, to repair this horrible security faux pass -- you use for API access the same name and password as for the main login on the site. This is unacceptable, because if anyone gains an API login, he/she can then raid the account. The point of API access is to allow automated and/or remote trading, not doing account transfers! Look at btc-e for a better implementation.

Simply, API access needs to be a separate access name/password than that of the main account.

You could also allow the users to make separate API entry accounts and assign funds to these sub-accounts from your main account, so that you could, for example have 1000 USD in the main account and diverge 400$ into API_1 and 400$ into API_2. This way, each of the separate accesses can be managed individually. But even if you don't apply this improvement, changing the API access conditions and maybe including and external RSA key hardware for trade confirmations, and for main account access would be of great help! (For confirmation of bank and bitcoin transfers out of an account a simple "Trezor" external key dongle could be used, this is to cost 1BTC only, and an alternative is in development by another 'lab'.

Anyway, even if you used printed gridcards, like many banks do (postage is cheap these days, still), you would enhance account security by 1000x, because a physical piece of plastic with numbers on it, is way more secure than any data you transfer over the internet via third parties.

Don't bother. CSS is way more important than any of the serious issues, like scamming trading engine.
How does the current engine scam you?

"The centralization measure is the cost of the option to create a new full node" - Measuring Decentralization
Why Bitcoin XT is a piece of nonsense
I AM HODLING
kakobrekla
Hero Member
*****
Offline Offline

Activity: 714


Psi laju, karavani prolaze.


View Profile
June 30, 2013, 08:43:55 PM
 #397

How does the current engine scam you?

In about 5 different ways.

bernard75
Legendary
*
Offline Offline

Activity: 1064



View Profile
June 30, 2013, 08:48:14 PM
 #398

LOL, u guys must have some serious beef. Cheesy
RoadTrain
Legendary
*
Offline Offline

Activity: 1148

The most centralized thing in Bitcoin is expertise


View Profile
June 30, 2013, 09:03:16 PM
 #399

Huh, didn't know about it.
If I were to write a trading engine I'd certainly use fixed-point arithmetic and at least five decimal places to make it as precise and transparent as possible.

"The centralization measure is the cost of the option to create a new full node" - Measuring Decentralization
Why Bitcoin XT is a piece of nonsense
I AM HODLING
lucif
Sr. Member
****
Offline Offline

Activity: 448


Clown prophet


View Profile
June 30, 2013, 11:42:12 PM
 #400

Fuck yeah, money math precision is an ass pain of all financial amateurs running bitcoin services. Looks like only gox using int64 for internal money calculations. All others use some shitty rounding or floating point math.

Of course, this is pennies and I don't care. But small or daily traders should.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 ... 82 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!