Protect Your Account

[Casdinyard]

**Also posted in Meta but sharing here too. Even if it helps one person it’s worth it**

How exactly was he hacked? Even I myself shows publicly my email address, yet encountered no issues of hacking nor anything so far. Maybe he had entered it in a website where they had data breach, or his password wasn't that kinda strong. There can be alot of prevention that can be done by BitcoinGirl.Club in his ends.

I guess this kind of thread and other thread that are helpful and must be pinned here in Beginners and Help board. Suggesting such actions isn't that kind of helpful if and only if the other newbies preferred nor haven't read issues with regards to hacking accounts even from a simple email. With regards to that, I also see the following as a good suggestion to the forum itself:

Limiting the Newbie's capability to reply on certain thread. How? They could only see pinned posts for approximately 3 to 5 days (depending on the forum management) upon their registration. Hence, all of necessary rules, regulations, and reminders would and must be read by the newbies before they can have the rights to reply on threads.

• ADVANTAGE/s: issues with regards to users (even older ones), that they either plagiarize, spam, burstpost, necro-bump, and any other violations that they aren't aware of, would be lessen. Chances of such prohibited activities might be eradicated once the rule would be implemented. Hence, any other issues such as the hacking matter indicated by the OP would be avoided. This would also make build a better community as this forum grows around the world.
• DISADVANTAGE/s: They need to spend days before making use of their account, and I think there's nothing more, nothing less.

Some might find this an awful suggestion, but with increasing cases of spamming, burst-posting, scamming, necro-bumping, and any other prohibited actions, then I guess we must start from the basics, by reading necessary threads such as rules and regulations and reminders for a safer account and environment.

If requested to transfer this to meta as another thread, I would be delighted to do so.

[Coyster]

How exactly was he hacked? Even I myself shows publicly my email address, yet encountered no issues of hacking nor anything so far. Maybe he had entered it in a website where they had data breach, or his password wasn't that kinda strong. There can be alot of prevention that can be done by BitcoinGirl.Club in his ends

It is in the op, and was also explained by few users after the op, his account wasn't hacked because of his email was visible to other users, but it seems he uses the same email on the forum for other purposes, so hackers sent him a malware in the form of a link which he clicked, that gave them access to the account and the powers to request for a reset of his password.

Limiting the Newbie's capability to reply on certain thread. How? They could only see pinned posts for approximately 3 to 5 days (depending on the forum management) upon their registration. Hence, all of necessary rules, regulations, and reminders would and must be read by the newbies before they can have the rights to reply on threads.

Limiting newbie participation is very harmful for a community. Newbie jail will never return: I consider the newbie-jail period to have been extremely damaging to the forum. When barriers to participation are too high, then the best people often just won't go to the trouble of joining, and the people who are willing to jump through the hoops are often people who aren't good for the community: people with nothing better to do, scammers, get-rick-quickers, etc. Having a permanent newbie jail policy would improve things a lot in the short-term, but would end up being a fatal poison to the community.

[Maus0728]

Good suggestion. First of all, I have used two email addresses for my bitcointalk account. One used for registered and after I changed the email to another address to get notification from the forum. So if in case my bitcointalk account got hack, I will be able to recover my account from registered email and sign address.

Wait? Isn't it that the email you have used for registration and receiving notifications is the same? You cannot use your former email for password recovery if you changed it for a newer one thus, your notifcations and password change request can only be received in the new email address. 

[Coyster]

Good suggestion. First of all, I have used two email addresses for my bitcointalk account. One used for registered and after I changed the email to another address to get notification from the forum. So if in case my bitcointalk account got hack, I will be able to recover my account from registered email and sign address.

Wait? Isn't it that the email you have used for registration and receiving notifications is the same? You cannot use your former email for password recovery if you changed it for a newer one thus, your notifcations and password change request can only be received in the new email address.  

That should be it, email used for registration would not count as long as you've changed your forum email address to a new/different one, the forum afaik doesn't use two email options, users only have the option to change the email when they want to; email used for registration becomes useless once changed and you can't reset password or receive any notification through it.

[lovesmayfamilis]

**Also posted in Meta but sharing here too. Even if it helps one person it’s worth it**

How exactly was he hacked? Even I myself shows publicly my email address, yet encountered no issues of hacking nor anything so far. Maybe he had entered it in a website where they had data breach, or his password wasn't that kinda strong. There can be alot of prevention that can be done by BitcoinGirl.Club in his ends.

There can be many options, but the fastest way that comes to mind is that a virus has been caught. A virus that steals browser logs. And since most likely the owner had one browser, which he often used, and did not erase cookies after each session, all the logs were transferred to the hacker.
A lot of information can be stored in one log. Starting from location data, and computer processor, and ending with passwords for mails, forums, bank cards. If a keylogger was installed in the system, then everything that the owner of the browser pressed was available to the hacker.
How to avoid such viruses, I think everyone has long understood, do not download anything from the Internet, use antivirus software, and other protections. You also need to erase all your cookies after each session and use different browser profiles for different tasks.
After such a data theft situation, you need to reinstall the operating system. Or reinstall the browser again.

https://www.kaspersky.com/blog/browser-data-theft/27871/
https://www.zdnet.com/article/raccoon-malware-targets-massive-browser-range-to-steal-your-data-and-cryptocurrency/

[jademaxsuy]

Good suggestion. First of all, I have used two email addresses for my bitcointalk account. One used for registered and after I changed the email to another address to get notification from the forum. So if in case my bitcointalk account got hack, I will be able to recover my account from registered email and sign address.

Wait? Isn't it that the email you have used for registration and receiving notifications is the same? You cannot use your former email for password recovery if you changed it for a newer one thus, your notifcations and password change request can only be received in the new email address. 

Yeah, I do not get the point also on why it had two email ad on bct. I know that it could be change depending on the preference of the owner to change or not the email being registered in bct but once it change it only allow one email for a certain user to use to recover his account. This is why I got confused. Anyway, whatever he mean to that reply seems like hes mading it up so that without basing anything that could make the statement worth.

[LFC_Bitcoin]

He was hacked because the hacker sent him a phishing email I believe, he clicked a link & there we go.
Certain people are working behind the scenes, trying to figure out who it was.

[yazher]

Oh, that man really messed it up in just one night. I think the hacker got it all cleared after the owner of the account has fallen to sleep. This something I knew before when I was a newbie in the industry. Once they know the email address you are using, You just give them a 50% chance to steal your account. The good thing is, most of the users are already hide their email add in their profile. He can regain back his account since he maybe has the necessary information to give the Cryptios.

Find more information here to know about the Cryptios:  https://bitcointalk.org/index.php?topic=5143439.0

[Harlot]

Yes, the "hide email address from public" flag is on by default (meaning hidden), but I guess people are used to being rather social, and switch it of in many cases (some are business relate, and therefore deliberately conscious). Going through a profile DB I have with 2.481.270 profiles, almost 56k accounts had an associates visible email.

I figure though that BitcoinGirl.Club’s case is not down to the email being visible on the profile (I don’t think it was, and Archieve sites seem to show it as hidden historically, right up to a snapshot from a couple of days ago). It looks more like some malware got installed after following a link.

So this answers my question in his post in the meta section. I don't think most of them unhiding their email is a social move but more of a business move to me, the mistake members do by showing their email is of course their email that they are showing is also their email to their account in BCT which is the wrong move. Showing your BCT account email will only put targets at your back and you will be vulnerable to numerous phishing attempts by doing so. If you have a separate email for business transactions then it would be easier for you to filter out the fraud emails you are receiving.

[dondonk]

**Also posted in Meta but sharing here too. Even if it helps one person it’s worth it**



If you haven’t already then follow these steps to make your email address hidden -

- Click Profile at the top of your browser
- Under Modify Profile on the left click Account Related Settings
- Make sure the circled box is ticked (example email address is not mine)



Safe surfing & fuck hackers!

Also make sure you are on a secure network wherever it is. In some cases, hackers hack networks to get usernames and passwords from our accounts. this often happens in public places.

[taufik123]

Also, enable additional security such as 2fa in the email used in this forum. And use different email and passwords with accounts on forums or other social media.
And then I suggest not to use the Secret Question in Account Related Settings.

The reason for not suggesting the use of secret questions may be because, this feature will automatically lock the account when trying to recover passwords using the Secret Question Method. Because I have experienced this, when I forget my password and want to change it, then I use a secret question that I have previously set, the result is my account is locked.

2FA email might be very helpful for securing email, I have also implemented it.

[DdmrDdmr]

<...>

I enable the secret question pretty soon (probably during the account creation procedure), and later came to read that resorting to its use would indeed lock your account, being the unlocking procedure not immediate nor trivial. As such, I left the secret Q/A there, on the profiles, but often felt like I really wanted to delete it (having a signed message on the appropriate thread seemed more fitting). It took me ages to delete it, but it’s really rather trivial:

<...> I had this step (deleting my secret question) pending for ages, and it has not been until now that I’ve gone ahead with it. Just a minor observation: Since the Answer is displayed as blank, you can’t really delete the content of the field. I therefore deleted the question, assumed that the answer deletion would be deleted, and hoped for the best. Logging out and back in again works fine, so I figure that was all that was required (+ > Enter your "Current Password" > Click "Change profile" button <…> as you stated).

[Rosilito]

Also, enable additional security such as 2fa in the email used in this forum. And use different email and passwords with accounts on forums or other social media.
And then I suggest not to use the Secret Question in Account Related Settings.
-

The reason for not suggesting the use of secret questions may be because, this feature will automatically lock the account when trying to recover passwords using the Secret Question Method. Because I have experienced this, when I forget my password and want to change it, then I use a secret question that I have previously set, the result is my account is locked.

2FA email might be very helpful for securing email, I have also implemented it.

I was going to ask on why enabling secret question wasn't a good idea 'cause it confused me (when it was designed to help you for retrieving your account password), and then I see this. Thanks for the input though. I was wondering few days ago if I should make one for myself but I think, I should withdraw from doing it so now  .

[taufik123]

I enable the secret question pretty soon (probably during the account creation procedure), and later came to read that resorting to its use would indeed lock your account, being the unlocking procedure not immediate nor trivial. As such, I left the secret Q/A there, on the profiles, but often felt like I really wanted to delete it (having a signed message on the appropriate thread seemed more fitting). It took me ages to delete it, but it’s really rather trivial:
-snip-

Locking the account after doing the forgot password method with a Secret Question is intended so that the person doesn't easily open the account.
Just imagine if a scammer who knows about the secret quest that we have previously set up, locks the account to further secure the account itself.
The impact of being locked into an account will be uncomfortable when the user does it himself. To try to open a locked account I created another account and contacted the moderator via PM Bitcointalk and also contacted the bitcointalk recovery team via email. I can open my account in just a few hours.

ACCOUNT LOCKED FIX PROBLEM

I sent a message to the email that was printed when the account was locked and the bitcointalk recovery team responded well.

I was going to ask on why enabling secret question wasn't a good idea 'cause it confused me (when it was designed to help you for retrieving your account password), and then I see this. Thanks for the input though. I was wondering few days ago if I should make one for myself but I think, I should withdraw from doing it so now  .

You are better off avoiding activating Secret Questions and using other security.
In order for you to prove that the account is your account, you need to do SIGNED MESSAGE BITCOIN ADDRESS, as DdmrDdmr

-snip-(having a signed message on the appropriate thread seemed more fitting).

You can do it here.
Stake your Bitcoin address here
https://bitcointalk.org/index.php?topic=996318.0

[masulum]

You are better off avoiding activating Secret Questions and using other security.

This is true, I have experience to use this feature in the past. I can take over user account just because they are put a real jobs in his life. Of course what i do just for security reason not for hacking. So i told him to deactivate the feature and change it to use SMS verification in case he lost his account. Secret question has limited answer, when we choose the name of family someone can know it, using jobs, someone also can find it. So if we want to safe from hacking. if we put a fake information, we can forget about it. That why i never activate any secret questions again.

[hatshepsut93]

It's scary to think that you can get malware or get your account hacked just by clicking on a link. Browsers are supposed to be a safe environment that can's just so easily be used as a vector for getting hacked by simply visiting a site. Perhaps there's an XSS or XSRF vulnerability on the website of OP's email provider - that could be an easy explanation for what happened. In that case an addon like NoScript can help reduce the risk, as long as you don't manually allow scripts on the malicious site.

[Lordhermes]

I’d like to presume that people that engage in airdrops and bounties, some of which require an email, are not providing their forum’s registry email (and preferably, they’d be using an email solely for these purposes, with no ties to anything else). Bounties and airdrops subscriptions end-up either being publicly visible in posts and lists, or used for any sort of purpose once obtained. That is a complementary, and probably more frequent malpractice, to displaying the email on the user’s profile.

Yes exactly, those set are have many accounts registered here but no mind of email protection from public because of the purpose of the accounts.
I have never thought hackers steals via email in as much as there's is no availability of password to email with them or something.

[alik111]

This is a great way for preventing scammers.But what about the bounty hunters?
They are very unconscious about their personal information and scammers can easily reach their sensitive information like email and social accounts.

So my advice is to be experienced and to be learnt about scammers and always use best protection.

[Husna QA]

I was going to ask on why enabling secret question wasn't a good idea 'cause it confused me (when it was designed to help you for retrieving your account password), and then I see this. Thanks for the input though. I was wondering few days ago if I should make one for myself but I think, I should withdraw from doing it so now  :D.

Secret questions can be used if you forget your login password. As mentioned before, this will result in the account being locked, and to recover it, you must be able to prove ownership of the account by showing the PGP key or Bitcoin address associated with the account and signing it.
https://bitcointalk.org/index.php?topic=5089777.msg48896084#msg48896084

And if you are already using a secret question, then want to disable/reset it, leave it blank. Make sure everything is empty; no whitespace or invisible characters.

Yes, just keep it blank. Make sure that the secret question area isn't full of whitespace characters. (Spaces don't count, but some other whitespace/invisible characters do.)

[samputin]

<...>

<...>

My simple advice for you guys is to never use the emails you already used in signing up to this forum, wallets or others with confidetial infos. Because the more you used it, the more prone it become against phishing attacks or other means of hacking. Making email addresses is now as easy as 1 2 3 so don't be hesitate to create a new one for vulnerable places.

That's what I actually do now—having multiple accounts for different purposes. I just feel more secured that way, and also having 2FA in all of them. I just struggle in remembering which email address I used in what. So I make sure I write it all in my notebook or in the notes app in my phone. Don't know if that's advisable to everyone but it works just fine with me.