BITTREX account HACKED - having 2FA ON

[valgal312]

BITTREX account HACKED - having 2FA ON

Today I logged into Bittrex to see that my account has almost no balance.

I checked my WITHDRAWAL HISTORY and saw that on 2020/01/24 21  there was a transaction a lot eth


There are many problems here:
1. I did not have any Bittrex Login Notification email on 2020/01/24 (which mean I did not login or having any actions of login to Bittrex on those time)
2. I still have my 2FA on
3. I did not have any sessions of using Bittrex on those time
4. I did not change or disable my 2FA for months, until now.

I feel very sad that I logged in to my Bittrex rarely these days, being confident that my F2A will keep my Bittrex safe. I still don't understand how could hackers logged in to my account without 2FA or triggering a notification email, and performed 3 transactions without needing to input my 2FA.

I am very confused right now as my altcoins are bought from low price, and I am holding my bags. I logged in today to refresh my orders, and what I get is an empty account.
lost more 10000usd be careful with bittrex... huge disappointment (((

[1714715723]

1714715723

[1714715723]

1714715723

[1714715723]

1714715723

[o_e_l_e_o]

There are multiple ways that 2FA can be bypassed. It isn't the 100% guaranteed safety net that most people imagine it to be. What type of 2FA were you using? Email, SMS, authenticator app?

If you usually receive a notification email, and you say you didn't get one, then I would check that your email hasn't also been hacked and the attacker deleted the email before you could see it. If this is the case, then it's also possible the attacker used access to your email account to disable or change your 2FA settings.

Does Bittrex provide you with logs of account activity? Can you check when your account was access and the relevant IP addresses?

I'm sorry for the loss of your coins, but everyone should know by now that storing coins on an exchange is a huge risk, for reasons exactly like this one.

[rosezionjohn]

I was browsing the net to see if there was a similar incident before and found this post https://www.reddit.com/r/Bitcoin/comments/8txhex/bittrex_account_hacked_with_2fa_enabled_be_careful/

The same thing could have happened to your account.

On June the 19th a hacker was able to intrude in my Google account.

1. He stole passwords from "Google Auto Sign-in", a tool I use to automatically sign-in to websites using stored credentials

2. downloaded photos of me and of my passport from Google drive

3. arranged these pictures with Photoshop or some other photo editing program to make a photomontage showing me holding my passport

4. entered in my Bittrex support account and submitted a ticket to disable 2FA security on my account

5. put a rule in my gmail to filter all messages from Bittrex and send them directly into the trash bin.

6. At the request of identity verification he just posted 2 photomontages one showing me holding a paper sheet reading "bittrex 19.06.2018 Please disable 2FA" and another one showing me holding my passport.

It looks to me that you are a seasoned trader that needs no reminding of "not your keys, not your funds". I assume that you already contacted the bittrex support team and why they allowed the 2FA. May I ask if your email was also changed?

[valgal312]

There are multiple ways that 2FA can be bypassed. It isn't the 100% guaranteed safety net that most people imagine it to be. What type of 2FA were you using? Email, SMS, authenticator app?

If you usually receive a notification email, and you say you didn't get one, then I would check that your email hasn't also been hacked and the attacker deleted the email before you could see it. If this is the case, then it's also possible the attacker used access to your email account to disable or change your 2FA settings.

Does Bittrex provide you with logs of account activity? Can you check when your account was access and the relevant IP addresses?

I'm sorry for the loss of your coins, but everyone should know by now that storing coins on an exchange is a huge risk, for reasons exactly like this one.

i use google authenticator.
Yes, Bittrex provides such activity logs. there is fixed another ip from another country

[valgal312]

I was browsing the net to see if there was a similar incident before and found this post https://www.reddit.com/r/Bitcoin/comments/8txhex/bittrex_account_hacked_with_2fa_enabled_be_careful/

The same thing could have happened to your account.

On June the 19th a hacker was able to intrude in my Google account.

1. He stole passwords from "Google Auto Sign-in", a tool I use to automatically sign-in to websites using stored credentials

2. downloaded photos of me and of my passport from Google drive

3. arranged these pictures with Photoshop or some other photo editing program to make a photomontage showing me holding my passport

4. entered in my Bittrex support account and submitted a ticket to disable 2FA security on my account

5. put a rule in my gmail to filter all messages from Bittrex and send them directly into the trash bin.

6. At the request of identity verification he just posted 2 photomontages one showing me holding a paper sheet reading "bittrex 19.06.2018 Please disable 2FA" and another one showing me holding my passport.

It looks to me that you are a seasoned trader that needs no reminding of "not your keys, not your funds". I assume that you already contacted the bittrex support team and why they allowed the 2FA. May I ask if your email was also changed?

mail has not been changed. anyway, today I logged into my account through it

[o_e_l_e_o]

i use google authenticator.
Yes, Bittrex provides such activity logs. there is fixed another ip from another country

Presumably you also use Google as an email provider then? I would change your password and reset all permissions it has as soon as possible.

If someone has access to your Google email address, then they can log in to your account and create new back-up codes for your 2FA. Using these back-up codes they can then duplicate your 2FA on their own device by following these steps: https://support.google.com/accounts/troubleshooter/4430955?hl=en#ts=4430956. If they did hack your email, then it is also trivial of them to reset your Bittrex password through it, and to hide all their activities from you by filtering Bittrex emails. They wouldn't change your email or account passwords since that would be more likely to draw your attention.

It would also be worth contacting Bittrex and making them aware of the hack, although I doubt very much anything will come of it.

[valgal312]

i use google authenticator.
Yes, Bittrex provides such activity logs. there is fixed another ip from another country

Presumably you also use Google as an email provider then? I would change your password and reset all permissions it has as soon as possible.

If someone has access to your Google email address, then they can log in to your account and create new back-up codes for your 2FA. Using these back-up codes they can then duplicate your 2FA on their own device by following these steps: https://support.google.com/accounts/troubleshooter/4430955?hl=en#ts=4430956. If they did hack your email, then it is also trivial of them to reset your Bittrex password through it, and to hide all their activities from you by filtering Bittrex emails. They wouldn't change your email or account passwords since that would be more likely to draw your attention.

It would also be worth contacting Bittrex and making them aware of the hack, although I doubt very much anything will come of it.

I used different mailboxes .. for bittrex the email was not from Google...
yes I contacting with Bittrex. They conducted an investigation in 2 hours, accused me of having probably visited a phishing site, said that they were very sorry and asked not to disturb them anymore...but didn’t explain how thieves walked around 2FA... huge disappointment

[TheUltraElite]

yes I contacting with Bittrex. They conducted an investigation in 2 hours,

2 Hours, that is pretty fast considering the time I have seen beign posted here from internal investigations on exchanges.

accused me of having probably visited a phishing site,

"Probably" visited? Can you provide the source of this information? 2FA should protect from phishing sites. If you get phished you lose your login credentials.

Does anybody know if inserting 2FA on the phishing site allows the phishing site to decrypt the algorithm of the number generation?

said that they were very sorry and asked not to disturb them anymore...but didn’t explain how thieves walked around 2FA... huge disappointment

Sorry for your loss but if you got phished then the fault does lie on your side to some extent. Bottom line is that you should bookmark these sites before you start using them and nothing really done about the money even if you are telling the truth.

[Bttzed03]

^ I don't know if it's even possible to decrypt and I agree with you that the 2FA should protect users from those phishing sites. Looking at the Bittrex's security guide, it's exactly what they recommend to help avoid hacks/unauthorized log ins

Please be aware that there are phishing sites on the Internet that look like Bittrex.  These sites are fake and harvest your credentials which can then be used to login to your account.  These sites will capture many different things including, username, password, 2FA code, and possibly even ask you for your email username and password.  Bittrex will never ask you for your email username and password, so please never enter those on any login that looks like a Bittrex site.

We highly recommend users enable two-factor to further secure their accounts and protect them from most automated attacks.  However, many users will still use the same passwords and email combinations they use on other sites as well as weak password to protect their accounts.  Bittrex keeps your user information secure and has never leaked any passwords.  However, many sites in the Crypto world have been hacked and the hackers have databases that they attempt to use to login to accounts.  This is why we suggest enabling two-factor.

@OP, try to use the above argument if you still want to talk to the bittrex support. They shouldn't be asking you not to bother them anymore without giving you a better explanation.

[magneto]

I've seen a lot of these cases before, so you are not the first one.

It could be very possible that the hacker simply had access to a lot more than you imagine, including your email which wiped away the login notifications. How exactly he was able to obtain the 2FA, I don't know, but have you had anyone over that could be a potential suspect?

Anyhow, don't count on bittrex giving you a refund for this or whatever, because they will simply create moral hazard in the sense that in the future, people will simply expect them to do the same to them.

[joniboini]

This will be a difficult case to win. They'll probably argue that you probably input your secret key somehow on a phishing site which is why 2FA didn't help you. But of course, this is a weak argument since they can't give proof for it.

Does anybody know if inserting 2FA on the phishing site allows the phishing site to decrypt the algorithm of the number generation?

No. A different story would happen if the hacker got the key that was used to bind the 2FA. But, I'm not sure if OP is stupid enough to give away that to a random site even if it looks identical to Bittrex website. After all, no exchange would request your 2FA key again if you login from a new IP.

[TheUltraElite]

No. A different story would happen if the hacker got the key that was used to bind the 2FA. But, I'm not sure if OP is stupid enough to give away that to a random site even if it looks identical to Bittrex website. After all, no exchange would request your 2FA key again if you login from a new IP.

What if the OP did give away the 30-60 second key to the phishing site? More than once maybe? Does that give the hacker enough data as to compute the next 2FA code? It is recommended not to "give" your 2FA to a fraud caller - similar is the case here if you draw an analogy as the phishing site as a fraud caller.

Once the hacker has that the login id is already given away and so they have complete access the account.

[o_e_l_e_o]

Does anybody know if inserting 2FA on the phishing site allows the phishing site to decrypt the algorithm of the number generation?

No, it doesn't

When you set up a 2FA app, you set up a shared secret between your app and the service in question. This is usually done by the service displaying a QR code which you scan with your phone. When you want to generate a (usually) 6 digit code, then your phone takes the current time (usually floored to the nearest 30 second interval), combines it with the shared secret, hashes it, and then uses that result to convert to the 6 digit code you enter. Since hashing is a one way process, even if an attacker had multiple codes and associated timestamps, they couldn't reverse the process to discover your shared secret.

If an attacker was otherwise able to access your shared secret though, then it would be trivial for them to bypass your 2FA. In the past, phishing sites have also instantly used (i.e. within the 30 second window) any usernames/passwords/2FA codes entered in to them on the real site.

[valgal312]

a phishing site is nonsense. Bitrex in my bookmarks. the tab has not been closed for more than two years. They just have nothing more to say. It’s my fault anyway. I think there was a computer hack. Bitrex money was withdrawn to MEW belonging to me. It is funny and sad at the same time. Lol

[pooya87]

yes I contacting with Bittrex. They conducted an investigation in 2 hours, accused me of having probably visited a phishing site, said that they were very sorry and asked not to disturb them anymore...but didn’t explain how thieves walked around 2FA... huge disappointment

bittrex is a scam exchange and has stolen millions of dollars worth of cryptocurrencies from its users in the past. you can see the trust history of the bittrex announcer here  https://bitcointalk.org/index.php?action=trust;u=96390
it wouldn't be surprising if you were manually selected to be scammed by their team. they are desperate for money these days too since they keep losing revenue. their total volume keeps declining every month, they have to stay alive somehow...