Ping out to Artemis3 and see if he can help you or at least point you towards someone who might be able to. If not just keep pinging out to the general help people eventually someone might do something. Surprised that they don't have a confirmation email when adding 2FA, that is usually a standard thing to do.
Good luck.
-Dave
I will! Thank you!
Honestly another standard practice would be denying the login due to the new geolocation they tried logging in from. A "New sign in detected from IP XXX, please confirm" email would have prevented this entire thing from occurring.
So what you "think" becomes reality somehow?
You must prove ownership of the account. If you managed to block the payments before they stole anything, it is safe. If they had taken the money out, it would be goodbye as Bitcoin transactions are final.
Now prove it, and follow whatever instructions they ask you to do. Because any random stranger can make a claim like yours, trying to steal someone else's money just pretending they "lost their password" or got "hacked" (social engineering).
From the back and forth I had with slushpool support, the only option they propose is to get access to an extremely old wallet. Again, most likely a deposit wallet on BTCe (you know, the one that got shut down), or an old bitcoin wallet that's since been deleted over the course of 4 windows reinstalls and 2 computer upgrades. It
was 8 years ago...
So, how did they got your "password" in the first place? Seems you failed to perform basic computer security practices.
Of course they ask you to sign a message with your wallet, isn't that an obvious proof of wallet ownership? What were you doing using a "custodial" (online) wallet in the first place?
Not your keys, not your money. How many years has this been repeated?
Yes yes, I understand it was my fault for not taking care of the old account. As for how the password got out, it got leaked during a data breach... a few years ago? Not sure the exact one. It was leaked in plain text too, not just hashes. I've since changed my password and enabled 2FA on all accounts I can think of, but unfortunately missed this one, cause... like I said, I forgot about this slushpool account. My bad.
Well that doesn't help things either. What makes Slush Pool recognize YOU as the legitimate owner? I wonder if your claim is even real or you are just spreading FUD.
I have access to the original email that registered the account, with the “New account confirmation” from mining.bitcoin.cz dating back to 2013. And, this may be coincidental timing, but I just received an email yesterday asking to purchase my mail box.
https://i.imgur.com/STi5E9B.pngDuh? How about not letting your password fall in the wrong hands? You think there are no incidents where they won't exploit "email 2fa" as well? Sometimes the existence of weak "password recovery security questions" set to your email provider are precisely the vector for penetration.
Or is it that you actually need this vector to exploit it? Nice try... Yeah, some people actually need 2fa enabled to be able to penetrate...
If you want to give advise to others, start with the basics: Use your own wallet, lets repeat it until you get it:
Not your keys, not your money.
Oh and, basic password security practices, because you are putting the cart before the horse, protecting the password is more important than relying on 2fa.
The best practice is to keep all accounts using different passwords. Which is precisely why the compromiser couldn’t access my email. On slushpool, to change password, change email, change wallet, all require email confirmation. But adding 2FA FIDO (physical device, not email 2FA) apparently does not require it.
So the unknown device that accesses your account is using a Samsung device? A mobile phone?
And added a Hardware authentication?
What exactly do you see on U2F on the settings it should have the name of the hardware device. I never heard of any U2F fido that supports mobile except only one hardware device through NFC.
No, he/she linked a Samsung device. It’s apparently used to monitor the user account with a mobile app. I unlinked it without a problem.
This is what I see in the security tab:
https://i.imgur.com/IyumBAy.pngThe bad thing here is if you own that account why you didn't add 2FA authentication? That's the bad practice to protect your account and actually, that is the basic thing to do to protect your account.
And I think you won't be able to add hardware authentication without Email access unless the hacker also has access to your Email and password?
No, he does not have access to my email. Otherwise those BTC would be gone already. Also it appears the person wants to purchase my mail box (or it could be coincidental timing).
From memory the account has so little BTC, it was below the payout threshold (this was over 8 years ago), so I just forgot about it. It’s my fault for forgetting about it, but still, point of this post is to give a heads up there’s no geolocation check on login, nor email confirmation when adding 2FA FIDO (physical device).
Lets start with YES the OP fucked up.
But Slush / Braiins is also doing it wrong.
You can setup an account at Slush and never add 2FA. (OPs mistake)
If someone gets your username & password they can then add a UBIKey or other form of 2FA WITHOUT any other form of checking (i.e. an email asking if you want to do this).
In theory, if you get a hold of someones user / password but nothing else. You would not be able to withdraw, since THAT requires an email. But you could change their payout address and add a 2FA device that they do not have access to, more or less locking them out of their BTC.
Just about every other place I have used either FORCES 2FA in the beginning, or you get a verification email / text / whatever before adding the 2nd.
-Dave
Yes and that's what this post is really about. If you're using slushpool and don't have 2FA FIDO, please be sure to add one!
