Bitcoin Forum
March 19, 2024, 07:59:35 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
Author Topic: BitMarket.Eu has closed down  (Read 203815 times)
monstrs
Hero Member
*****
Offline Offline

Activity: 555
Merit: 504



View Profile
October 09, 2012, 04:06:17 PM
 #461

Atleast for me its not related to mtgox, have different password there.

Lost today 3.459 BTC, 4days ago 3.15548913 BTC, i hope that bitmarket will refund all involved.


If someone is not informed: https://bitcointalk.org/index.php?topic=115432.0
1710835175
Hero Member
*
Offline Offline

Posts: 1710835175

View Profile Personal Message (Offline)

Ignore
1710835175
Reply with quote  #2

1710835175
Report to moderator
The forum strives to allow free discussion of any ideas. All policies are built around this principle. This doesn't mean you can post garbage, though: posts should actually contain ideas, and these ideas should be argued reasonably.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710835175
Hero Member
*
Offline Offline

Posts: 1710835175

View Profile Personal Message (Offline)

Ignore
1710835175
Reply with quote  #2

1710835175
Report to moderator
monstrs
Hero Member
*****
Offline Offline

Activity: 555
Merit: 504



View Profile
October 09, 2012, 04:07:40 PM
 #462

I have more confirmations from other affected users that they used same login details on Mt. Gox. I still don't want to jump in to conclusions, but it's smells fishy...

I used different login into mtgox, changed password on all my logins 4 days ago after 1st loss, so its not my case.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 09, 2012, 04:13:59 PM
 #463

I used different login into mtgox, changed password on all my logins 4 days ago after 1st loss, so its not my case.

You still didn't explain:
- did you use the same PASSWORD?
- when you changed the password on BitMarket and Mt. Gox, was it same one, or two different passwords?

You answers to these questions are critical for me, so please be honest on this. You can PM me this info if you don't want to share it publicly.
Sultan
Full Member
***
Offline Offline

Activity: 214
Merit: 100


View Profile
October 09, 2012, 04:18:53 PM
 #464

I just want to make sure I have the right end of the stick...

Has everybody who deposited bitcoins into bitmarket.eu have no longer got access to them? Have they been stolen?Huh

http://images.onbux.com/banner.gif
I then use the money to buy BitCoins. You can too!
monstrs
Hero Member
*****
Offline Offline

Activity: 555
Merit: 504



View Profile
October 09, 2012, 04:21:53 PM
 #465

I used different login into mtgox, changed password on all my logins 4 days ago after 1st loss, so its not my case.

You still didn't explain:
- did you use the same PASSWORD?
- when you changed the password on BitMarket and Mt. Gox, was it same one, or two different passwords?

You answers to these questions are critical for me, so please be honest on this. You can PM me this info if you don't want to share it publicly.

PM'ed answers to this.

In short: NO i have not used same passwords in mtgox and bitmarket ever.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 09, 2012, 04:43:00 PM
 #466

I just want to make sure I have the right end of the stick...

Has everybody who deposited bitcoins into bitmarket.eu have no longer got access to them? Have they been stolen?Huh

No. Only a very small subset of user accounts were compromised (about 15 accounts).
SebastianJu
Legendary
*
Offline Offline

Activity: 2674
Merit: 1077


Legendary Escrow Service - Tip Jar in Profile


View Profile WWW
October 09, 2012, 04:57:31 PM
 #467

Can asics(when they are out) or fpga be used to crack these passwords?

Please ALWAYS contact me through bitcointalk pm before sending someone coins.
OneEyed
aka aurele
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile WWW
October 09, 2012, 05:29:20 PM
 #468

In last few days some of BitMarket accounts were compromised. Because it's not just one case, I decided to disable the site until I'm certain how it happened.

From what I can tell now, accounts were accessed normally, using their respective logins and passwords. We store only hashes of our passwords in database, so it's impossible to get them from there.

Are the passwords salted using random salts? If not, rainbow tables are available for common passwords using common hashes, and the hashed passwords may well have been leaked from bitmarket.eu itself or a from a backup or any offline copy. And even if salted, weak passwords may be found using a brute-force dictionary attack against the hashed passwords list, even if it takes more time.

It looks like at least one user whose account has been hacked was using a unique but weak password. That would match this scenario.

M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 09, 2012, 06:16:29 PM
 #469

Are the passwords salted using random salts? If not, rainbow tables are available for common passwords using common hashes, and the hashed passwords may well have been leaked from bitmarket.eu itself or a from a backup or any offline copy. And even if salted, weak passwords may be found using a brute-force dictionary attack against the hashed passwords list, even if it takes more time.

It looks like at least one user whose account has been hacked was using a unique but weak password. That would match this scenario.

Our password hashes are salted with site-global AND per-user salt.
disclaimer201
Legendary
*
Offline Offline

Activity: 1526
Merit: 1001


View Profile
October 09, 2012, 07:08:08 PM
 #470

I recently sold some bitcoins and wanted to confirm them today. Please let us know what to do.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 09, 2012, 08:00:37 PM
Last edit: October 10, 2012, 03:05:17 AM by M4v3R
 #471

Official announcement about October 9th issues

In recent days few of our accounts were compromised. After investigation, I would like to announce that:

- first of all, if you are reading this, and you didn't receive any strange emails lately then
there's no need to worry and your funds are safe.
- less than 20 accounts were affected by this hack, which is a fraction of our user base. By affected I mean accounts with stolen funds.
- majority of accounts were unaffected by this
- attacker used TOR anonymity network, which unfortunately prevents us from tracking him down
- attacker gained access to these accounts via their respective passwords. How he obtains these remain mystery to us, but we must note a few key things:
  - we store our passwords securely (to be exact: SHA-256 uniquely salted hashes of passwords)
  - most of affected users told us that they reused their passwords elsewere. Most notably, on Mt. Gox. We don't have proof that Mt. Gox was source of this leak (it could still be data from the last year's leak), but that's not impossible
  - there were two instances of users that had changed passwords and their account was breached again in very short amount of time. In one case, nothing was missing, hacker just placed one offer. In other, 3 BTC was gone. It's likely, that these passwords were somehow intercepted by hacker (keylogger/trojan/something else).
  - I spent considerable amount of time studying server logs (access logs, auth logs and others) and haven't detected any anomalies. I'm almost certain that our systems were not breached. I just can't think of an attack vector that would leak plain-text passwords from our site when we're hashing them all.

The site is now back up, but I've done three important things:
- I've reset ALL passwords. It's possible that I've interrupted the attacker and it has more passwords, and we don't want him to have them anymore
- I've implemented a security mechanism for confirming transactions. As a seller, you can't now just send BTC through the site, you have to first click on the link you receive via email. This way, it's impossible for anyone that gained access to your account to clear your Bitcoin in any way
- I've changed the withdrawal address procedure. It now always requires email confirmation, even when settings it for the first time.

So all in all, security of BitMarket was increased from this. As of now, even if someone broke into your account, knowing your Bitmarket password, as long as your email is secure, your Bitcoin is secure too.

The question about lost funds remains. I'm sad to report that 182 BTC from all affected accounts were lost in the process (could be more, but few hundred BTCs were blocked from withdrawing by anti-theft limit that I set up few days before). As much as I'd want to reimburse all people affected, I won't, for two reasons:
- BitMarket basically breaks even on donations it receives. I can't reimburse affected users with funds of others
- While I feel bad for people who are affected I don't think I'm responsible for (in most cases) them reusing passwords for Bitmarket and other sites.

If your funds can be recovered, I'll contact you as soon as possible. If you have any comments about above statement, feel free to contact me.
disclaimer201
Legendary
*
Offline Offline

Activity: 1526
Merit: 1001


View Profile
October 09, 2012, 09:48:19 PM
 #472

Ok, changed password and found out that my bitcoins were already marked as confirmed (to the people that paid me). So I assume they received my coins ok?

Thank you for your update. Every time that the Bitmarket page is unavailable since December 2011 I'm afraid someone hacked it. I'm paranoid like that and try to not keep more than small amounts at any exchange. Even for the reason that it closes down like Tradehill. I am very glad that the service worked so well for all that time and I think you are very good concerning security so far.

It says 0 donated on my account but I've sent some donations to the donation address manually because I really appreciate the service you are offering. I would be glad to send more donations in the future and I think it would be a good idea for you to post an extra donation address for us to send whatever little we want to at least partly compensate those robbed customers. I know some customers have used passwords more than once but if you don't want to lose those, it would be a good idea to at least try to make up for their losses.

Willing to do my modest part. Once again, thank you for running the service on voluntary donations.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 09, 2012, 09:58:48 PM
 #473

Thanks for kind words. If someone wants to donate for this cause, you can do it using this address: 1LYSAkN7tKAiQczjhQh2eitqyGirW2Y3uX.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
October 09, 2012, 11:03:02 PM
 #474

So, in view of the latest developments, seems like it's time for BitMarket to institute some kind of a 2-factor authentication also.  Cool

I would prefer a 1-time code via sms. Does BitMarket have plans for that?

Yes, we have plans for that, but because I'm on vacation, you will have to wait a bit for it Smiley. It will be based on the same process Google uses for it's 2-step auth.

Does BitMarkte.Eu offer multi-factor auth?

[Edit: Inner quotation presumed from message context.]

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


x12345
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250



View Profile
October 10, 2012, 05:44:46 AM
 #475

Ok, changed password but and found out that i lost 10 btc...

 Huh    Cry

Key GPG 92B7635F | jabber: bitcoin AT imbox.im | C/V de BTCs

monstrs
Hero Member
*****
Offline Offline

Activity: 555
Merit: 504



View Profile
October 10, 2012, 05:49:58 AM
 #476

Official announcement about October 9th issues

In recent days few of our accounts were compromised. After investigation, I would like to announce that:

- first of all, if you are reading this, and you didn't receive any strange emails lately then
there's no need to worry and your funds are safe.
- less than 20 accounts were affected by this hack, which is a fraction of our user base. By affected I mean accounts with stolen funds.
- majority of accounts were unaffected by this
- attacker used TOR anonymity network, which unfortunately prevents us from tracking him down
- attacker gained access to these accounts via their respective passwords. How he obtains these remain mystery to us, but we must note a few key things:
  - we store our passwords securely (to be exact: SHA-256 uniquely salted hashes of passwords)
  - most of affected users told us that they reused their passwords elsewere. Most notably, on Mt. Gox. We don't have proof that Mt. Gox was source of this leak (it could still be data from the last year's leak), but that's not impossible
  - there were two instances of users that had changed passwords and their account was breached again in very short amount of time. In one case, nothing was missing, hacker just placed one offer. In other, 3 BTC was gone. It's likely, that these passwords were somehow intercepted by hacker (keylogger/trojan/something else).
  - I spent considerable amount of time studying server logs (access logs, auth logs and others) and haven't detected any anomalies. I'm almost certain that our systems were not breached. I just can't think of an attack vector that would leak plain-text passwords from our site when we're hashing them all.

The site is now back up, but I've done three important things:
- I've reset ALL passwords. It's possible that I've interrupted the attacker and it has more passwords, and we don't want him to have them anymore
- I've implemented a security mechanism for confirming transactions. As a seller, you can't now just send BTC through the site, you have to first click on the link you receive via email. This way, it's impossible for anyone that gained access to your account to clear your Bitcoin in any way
- I've changed the withdrawal address procedure. It now always requires email confirmation, even when settings it for the first time.

So all in all, security of BitMarket was increased from this. As of now, even if someone broke into your account, knowing your Bitmarket password, as long as your email is secure, your Bitcoin is secure too.

The question about lost funds remains. I'm sad to report that 182 BTC from all affected accounts were lost in the process (could be more, but few hundred BTCs were blocked from withdrawing by anti-theft limit that I set up few days before). As much as I'd want to reimburse all people affected, I won't, for two reasons:
- BitMarket basically breaks even on donations it receives. I can't reimburse affected users with funds of others
- While I feel bad for people who are affected I don't think I'm responsible for (in most cases) them reusing passwords for Bitmarket and other sites.

If your funds can be recovered, I'll contact you as soon as possible. If you have any comments about above statement, feel free to contact me.

Great news. Thank you for security mesures taken.
BTCurious
Hero Member
*****
Offline Offline

Activity: 714
Merit: 503


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
October 10, 2012, 11:19:40 AM
Last edit: October 10, 2012, 11:34:45 AM by BTCurious
 #477

I have checked my account. I can guarantee my password is not used on any other site, and can also not be keylogged.

My Bitcoins are still there, but, five of my transactions are marked as confirmed (22392, 22403, 22406, 22411, 22415), and one is marked as cancelled (22470). The confirmed ones total 24 Bitcoins, the cancelled one would have been 203 Bitcoins if that had been confirmed. Did I dodge a bullet there?
There are four usernames in the confirmed/cancelled transactions. I have received no transactions for these, although by this time they should have arrived on my bank account.


This is a serious issue, I repeat, my password is cryptographically generated and not used anywhere else, and not typed in on a keyboard either.


Edit: Removed all my Bitcoins from the exchange until this is figured out, or until two-factor auth is implemented. I suggest Google Authenticator. Very easy to set up, on the server side as well as the client.
I would also like to suggest having your site pentested. It sounds to me like you have an SQL injection or XSS issue. Here is someone I trust that can help you: https://bitcointalk.org/index.php?topic=96015.0

M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 10, 2012, 12:37:57 PM
 #478

I would also like to suggest having your site pentested. It sounds to me like you have an SQL injection or XSS issue. Here is someone I trust that can help you: https://bitcointalk.org/index.php?topic=96015.0

While there could be a chance of that (which I highly doubt because I use an ORM layer and parametrized queries while accessing the DB), the passwords are hashed with SHA-256 and double salted (site-global and per-user unique salts). There's just no way to extract passwords from these hashes in reasonable time even if there was a hole in site's code.

I spent whole day yesterday examining if there's a fault somewhere in Bitmarket's source or server software. I found nothing that could give the attacker knowledge of Bitmarket's members passwords.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 10, 2012, 12:41:50 PM
 #479

About Google Authenticator, I will implement it as soon as possible, probably even in this week.
BTCurious
Hero Member
*****
Offline Offline

Activity: 714
Merit: 503


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
October 10, 2012, 12:47:53 PM
 #480

While there could be a chance of that (which I highly doubt because I use an ORM layer and parametrized queries while accessing the DB), the passwords are hashed with SHA-256 and double salted (site-global and per-user unique salts). There's just no way to extract passwords from these hashes in reasonable time even if there was a hole in site's code.

I spent whole day yesterday examining if there's a fault somewhere in Bitmarket's source or server software. I found nothing that could give the attacker knowledge of Bitmarket's members passwords.
Are you sure there were password breaches at all? My transactions were confirmed/cancelled, but the Bitcoins actually in my account were untouched. That's why it seems to me that the attacker merely has some method to confirm/cancel transactions, which sounds to me like SQL injection (perhaps not, if you have ORM and parametrized queries) or XSS. But I'm not a professional at that, xalex could probably describe/test more attack vectors.


About Google Authenticator, I will implement it as soon as possible, probably even in this week.
Great Smiley Wouldn't help if the problem lies somewhere else, but it's still a very good thing to have.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!