Today I discovered there was an order that wasn't mine. Someone hacked my account and put 2FA so I wasnt able to stop him. I immidietly changed my password from a fresh computer incase I had keylogger.
We are very sorry for the funds that you've lost. You should always enable 2FA before doing any kind of operations with the funds on your account to prevent such scenarios. You should also keep your account secure all the time (
https://www.nicehash.com/index.jsp?p=news&id=108)
Once again, please make sure to keep 2FA enabled all the time when doing any kind of operations with any kind of funds in your account.
Best regards,
NiceHash team.
NO!!!!!
1) YOU SHOULD UPGRADE YOUR 2000 PHP CODE OF YOUR WEBSITE AND ACTUALLY FORCE THOSE WHO ARE PREVIOUSLY LOGGED IN OUT WHEN A PASSWORD IS CHANGED.
2) YOU SHOULD ALSO BLOCK OTHER IPS WHEN YOU ARE INFORMED OF THE HACK, EVEN BLOCK THE ACCOUNT.
3) YOU SHOULD ASK FOR A EMAIL CONFIRMATION AS ALL THE OTHER WEBSITES IN THE WORLD DOES WHEN A USER TRIES TO PUT 2FA TO HIS ACCOUNT.
I'LL CHASE THIS TO THE END AND WILL GIVE YOU A NEGATIVE TRUST IF YOU DON'T TAKE RESPONSIBILITY AS YOU SHOULD!
Here is what happened for those who wants to read:
So here is the deal, I was renting hash for Zcash and Zclassic for the past couple of days. I had 0.24 btc left in my account. Today I decided to check my account and saw that there was an open order that wasn't by me.
The hacker put a 2fa code, WHICH CAN'T BE DONE WITH EMAIL CONFIRMATION ANY WHERE IN THE WORLD EXCEPT THE POORLY CODED NICEHASH INTERFACE, and I was unable to withdraw my btc immidietly. I changed my password from a fresh computer due to the risk of having a keylogger on my computer.
GUESS WHAT?! Poorly coded nicehash website didn't force previously logged in people to logout after a password reset. What a joke?! Is this 2001 dial up internet years all over again?
So, while I thought I was safe because I changed my password and the regular website behaviour is to force everyone else out that is logged in with previous password. I went to bed. Woke up to see if nicehash responded my email.
They asked me to send certain amount of btc to my deposit address to verify its actually me. And I did. Than wanted check if my deposit was in wallet page.
I noticed my 0.22 was fully gone. Poorly coded nicehash website didn't force previously logged in hacker, neither did the support blocked his IP even though they have been INFORMED that it was a hacker.
I request a refund of my hardly earned 0.22 BTC. I accept that the first hack was my responsibility but the rest security leaks was caused by nicehash's poor coding.
This is a fucking job, here is the mail I recieved:
We are very sorry for the funds that you've lost. You should always enable 2FA before doing any kind of operations with the funds on your account to prevent such scenarios. We replied to your first email at replied to you at 21:39 UTC, followed our standard procedure and sent you the 2FA reset info at 22:51 UTC.
Once again, we are very sorry for the funds that you've lost - and please make sure to keep 2FA enabled all the time when doing any kind of operations with any kind of funds in your account.
Thank you for using our service!
I URGE EVERYONE. USING NICEHASH IS NOT SAFE. THEY DON'T HAVE EVEN THE SIMPLEST PROTECTIONS. THEY DON'T ASK EMAIL CONFIRMATION FOR SETTING 2FA AND WHEN YOU CHANGE YOUR PASSWORD THE HACKER WILL NOT BE FORCED OUT. THIS IS A VERY UNPROFESSIONAL CODED WEBSITE.
