Bitcoin Forum
December 06, 2016, 12:33:09 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: Is this a security issue? Massive worker un & pw list found through google ...  (Read 3448 times)
iamzill
Full Member
***
Offline Offline

Activity: 139


View Profile
September 23, 2011, 01:24:07 AM
 #41

That was part of our old database.

I have no idea why that information was there and I plan on figuring out which idiot from my team did that.

I am in the process of emailing all the affected users to let them know.

Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!

Would advise all users to get their miners away from there ASAP

A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.

B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.

C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.

Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They probably thought worker passwords wasn't "important" enough.


They aren't "important", they are a mere formality.
And yet several people already had their email account compromised.

The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.
1481027589
Hero Member
*
Offline Offline

Posts: 1481027589

View Profile Personal Message (Offline)

Ignore
1481027589
Reply with quote  #2

1481027589
Report to moderator
1481027589
Hero Member
*
Offline Offline

Posts: 1481027589

View Profile Personal Message (Offline)

Ignore
1481027589
Reply with quote  #2

1481027589
Report to moderator
1481027589
Hero Member
*
Offline Offline

Posts: 1481027589

View Profile Personal Message (Offline)

Ignore
1481027589
Reply with quote  #2

1481027589
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481027589
Hero Member
*
Offline Offline

Posts: 1481027589

View Profile Personal Message (Offline)

Ignore
1481027589
Reply with quote  #2

1481027589
Report to moderator
1481027589
Hero Member
*
Offline Offline

Posts: 1481027589

View Profile Personal Message (Offline)

Ignore
1481027589
Reply with quote  #2

1481027589
Report to moderator
hollajandro
Member
**
Offline Offline

Activity: 83


View Profile
September 23, 2011, 02:45:39 AM
 #42

That was part of our old database.

I have no idea why that information was there and I plan on figuring out which idiot from my team did that.

I am in the process of emailing all the affected users to let them know.

Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!

Would advise all users to get their miners away from there ASAP

A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.

B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.

C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.

Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They probably thought worker passwords wasn't "important" enough.


They aren't "important", they are a mere formality.
And yet several people already had their email account compromised.

The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.

I'm pretty sure that responsibility lies with the user themselves. After all, if you use the same key for your car, house, boat, storage unit, etc. who's fault is it really? Maybe it's time to start a business doing compromised password insurance...
RandyFolds
Sr. Member
****
Offline Offline

Activity: 434



View Profile
September 23, 2011, 03:10:42 AM
 #43


And yet several people already had their email account compromised.

The lesson here is that every password the user types is important

...only if they are an idiot. If you operate by the 'no child left behind' policy, you end up with a whole classroom full of simpletons.



Side note: the pool I use (ArsBitcoin) states in bolded red text that worker names and passwords are stored as plaintext.

▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
▓▓ ONEDICE.ME ▓▓▓▓▓ BEST DICE EXPERIENCE ▓▓▓▓ PLAY OR INVEST ▓▓▓▓▓▓
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
iamzill
Full Member
***
Offline Offline

Activity: 139


View Profile
September 23, 2011, 04:04:26 AM
 #44

That was part of our old database.

I have no idea why that information was there and I plan on figuring out which idiot from my team did that.

I am in the process of emailing all the affected users to let them know.

Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!

Would advise all users to get their miners away from there ASAP

A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.

B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.

C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.

Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They probably thought worker passwords wasn't "important" enough.


They aren't "important", they are a mere formality.
And yet several people already had their email account compromised.

The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.

I'm pretty sure that responsibility lies with the user themselves. After all, if you use the same key for your car, house, boat, storage unit, etc. who's fault is it really? Maybe it's time to start a business doing compromised password insurance...

Yes, of course it's the user's responsibility. That's why I called those one-in-a-million users "dumb-asses".

But if the coder is too lazy to spare one line of code to encrypt a useless password then I wouldn't trust that same coder to process my transactions.

By the end of the day, this is yet another security breach and another blow to the credibility of Bitcoins. Whether you used nofeemining or not, whether you chose strong passwords or not doesn't matter, because you were still hurt by this security breach.
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
September 23, 2011, 09:20:16 AM
 #45

Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
Not trivially; I don't think pushpoold supports storing worker passwords as anything other than plaintext.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
September 23, 2011, 10:20:45 AM
 #46

Wait, why do mining workers even HAVE passwords?

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
September 23, 2011, 10:23:35 AM
 #47

Wait, why do mining workers even HAVE passwords?

I also never understood this...
bitclown
Full Member
***
Offline Offline

Activity: 186


View Profile
September 23, 2011, 10:27:32 AM
 #48

Wait, why do mining workers even HAVE passwords?

I also never understood this...
To prevent others from abusing your account. Pools will ban misbehaving users.
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!