My account got hacked, is there a way to recover access to it?

[greatwolf_]

The hacker changed my pw, email and security question on my account. Is there a way to recover access to it? It seems obvious now but BitcoinTalk really needs 2fa and some kind of confirmation sent to the original email on changes like this along with ip logs.

[1714040989]

1714040989

[1714040989]

1714040989

[eid]

The hacker changed my pw, email and security question on my account. Is there a way to recover access to it? It seems obvious now but BitcoinTalk really needs 2fa and some kind of confirmation sent to the original email on changes like this along with ip logs.

If you've associated a BTC address in an old post or PM, yes:

https://bitcointalk.org/index.php?topic=497545.0


If you haven't, forget it because you won't ever get it back.

[hilariousandco]

It seems obvious now but BitcoinTalk really needs 2fa and some kind of confirmation sent to the original email on changes like this along with ip logs.

It really is needed, but what's needed even more is for people to look after their accounts a bit better and not log into phishing sites. I hope you're more careful with your coins. 

[Shogen]

... but BitcoinTalk really needs 2fa and some kind of confirmation sent to the original email on changes like this along with ip logs.

Strongly agree with you. The good news is that we should have 2FA feature ready in the new forum software.

https://bitcointalk.org/index.php?topic=523070.0

Fancy Authentication

In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods.

[greatwolf_]

I've sent badbear and theymos signed messages as per instructions here. In fact, I've signed it twice using two different btc addresses that have been used with my original account to prove ownership. How long should it take them to get back to me?

[hilariousandco]

That depends how busy they are but I don't think BadBear deals with account hackings. You'll just have to wait and be patient.

[greatwolf_]

Is there any other staff or mods that deal with account recovery that I can also contact to help speed this process? I also mentioned in the message that they can verify and confirm also by comparing the ip logs between my original account and this to help support my case. Additionally, I can also send a confirmation email reply from my original email address used to register that account as well.

All of that should be overwhelmingly sufficient evidence to reset the email for that account.

[hilariousandco]

Nope, just theymos as far as I'm aware. If you've sent all the correct info - which it appears like you have - all you can do now is wait for theymos to recover it, though he's a busy guy and gets lots of these requests plus I imagine a helluva lot of other stuff daily.

[wosch76]

I have the same problem.
I lost the access to my account on this nem phising attack and pm'd theymos this monday but didn't get a reply yet.
I think it's too much pm's and lost account's to get through for one person.
Can't some other mods help theymos? Just temporarely til the storm is over?

[hilariousandco]

It would be a good idea to delegate the workload, but the only other person who probably could do it is BadBear and I don't think he's too keen on sorting out hacked accounts, though maybe he will change his mind as I don't think he was that eager to become a admin either at one point.

[ziggyII]

I have the same problem.
I lost the access to my account on this nem phising attack and pm'd theymos this monday but didn't get a reply yet.
I think it's too much pm's and lost account's to get through for one person.
Can't some other mods help theymos? Just temporarely til the storm is over?

I am waiting for his reply.too
In the past 4 days I PMed him 3 times
day 1 I sent my signed message,for anxious reasons I misread the format so made a mistake in it but I didn't realize at that time
day 2 I asked if my account can be recovered   
day 3 with other people's help I fond what I signed in day 1 is wrong,so I corrected and PMed it again
now it is day 4
he said:

If I point you to this thread, you can't prove ownership properly, and then I ignore your future PMs, this means that I'm not going to recover your account. Create a new one.

so what I worried is my last pm with correct signed message be ignored because the first one is wrong
will it happen?



 

[wosch76]

Did anybody ever got restored his account or got a reply by theymos?
Can someone confirm this?
I'm just curious, cause I only read about pm's that get never answered

[greatwolf_]

It's 5 days later, I still haven't gotten so much as a reply or peep from theymos. I don't get what his deal is, I've followed the instructions as pointed out in his account recovery thread. I've verified the signed PM message through blockchain.info and https://brainwallet.github.io/#verify and they both check out.

I mean if there's something wrong shouldn't theymos at least get back to me on what that is? This whole ordeal is stupid and incredibly infuriating -- right now the only thing standing in the way between a hacker and your bct account is your password; there is no other defense to deter a hacker like having 2fa, confirming on email changes etc. like mentioned in my original post.

That being the case, I don't understand why their account recovery process is so piss poor.

[greatwolf_]

I resent another msg to theymos on 9/26/14. Still no response as of this posting.

[Tammy Chan]

Still no response as of this posting.

For your information, theymos replied on reddit a few days ago regarding another more complicated recovery request (link: http://www.reddit.com/r/Bitcoin/comments/2hne0g/useraccounts_bitcointalkorg_not_like_other/ckugt4c), but there is something in common for all recovery requests.

Account recoveries are my lowest priority because they involve a ton of investigation, and you shouldn't lose your account in the first place. If my investigation is not thorough, I could end up accidentally "recovering" an account by giving it to a thief. But I don't often have hours of spare time to devote to such things, so I end up doing only a few account recoveries per month, and many requests get ignored. (I choose recent requests that look straightforward. For any forum business, if I ignored your past requests, resend it every couple of weeks and make it more clear/straightforward.)

[greatwolf_]

For your information, theymos replied on reddit a few days ago regarding another more complicated recovery request (link: http://www.reddit.com/r/Bitcoin/comments/2hne0g/useraccounts_bitcointalkorg_not_like_other/ckugt4c), but there is something in common for all recovery requests.

Account recoveries are my lowest priority because they involve a ton of investigation, and you shouldn't lose your account in the first place. If my investigation is not thorough, I could end up accidentally "recovering" an account by giving it to a thief. But I don't often have hours of spare time to devote to such things, so I end up doing only a few account recoveries per month, and many requests get ignored. (I choose recent requests that look straightforward. For any forum business, if I ignored your past requests, resend it every couple of weeks and make it more clear/straightforward.)

Two responses to the above, firstly I think my case falls on the straightforward case since no one has stepped up to dispute my claim to my account. But then again, what does he even consider straightforward exactly? That sounds completely subjective and whatever mood he happens to be feeling. Why not delegate some of that task to other mods? They're trustworthy enough to do it and perfectly capable.

Secondly, why doesn't theymos secure BCT accounts better and make them harder to hack? Then there would be less account recovery request because less accounts are being hacked. Low-hanging fruits that come to mind:

• Email confirmation on account creation
• Email confirmation when changing vital account settings
• 2FA

These aren't new ideas. See this thread for example.

[Willisius]

For your information, theymos replied on reddit a few days ago regarding another more complicated recovery request (link: http://www.reddit.com/r/Bitcoin/comments/2hne0g/useraccounts_bitcointalkorg_not_like_other/ckugt4c), but there is something in common for all recovery requests.

Account recoveries are my lowest priority because they involve a ton of investigation, and you shouldn't lose your account in the first place. If my investigation is not thorough, I could end up accidentally "recovering" an account by giving it to a thief. But I don't often have hours of spare time to devote to such things, so I end up doing only a few account recoveries per month, and many requests get ignored. (I choose recent requests that look straightforward. For any forum business, if I ignored your past requests, resend it every couple of weeks and make it more clear/straightforward.)

Two responses to the above, firstly I think my case falls on the straightforward case since no one has stepped up to dispute my claim to my account. But then again, what does he even consider straightforward exactly? That sounds completely subjective and whatever mood he happens to be feeling. Why not delegate some of that task to other mods? They're trustworthy enough to do it and perfectly capable.

Secondly, why doesn't theymos secure BCT accounts better and make them harder to hack? Then there would be less account recovery request because less accounts are being hacked. Low-hanging fruits that come to mind:

• Email confirmation on account creation
• Email confirmation when changing vital account settings
• 2FA

These aren't new ideas. See this thread for example.

Email confirmation would not do anything to help secure accounts and the lack of email confirmation helps users maintain anonymity. Also if the forum were to get hacked and email addresses were to be exposed then the hacker would have a large list of email addresses they could use on a phishing attack or could try to hack the subject email addresses because they know they are associated with bitcoin.

If email confirmation is not necessary to register an account then requiring email confirmation to change certain account settings would not work as people could be using a fake email address.

2FA would be useful however it would be difficult to implement into SMF. Theymos has also said that the overwhelming majority of account hacks are the result of some kind of error on the user's part.     

[peligro]

I disagree, I think a simple email confirmation will add a lot of security. Only the password protecting the account is very insecure.

Recovery of hacked accounts should be a priority as they are soon sold off by newbie traders. Once they are with the buyers the job of the hackers is done.

[greatwolf_]

bump

[Grand_Voyageur]

bump

Have you followed theymos' way to recover your account, the one provided here? If you cannot follow such a path, I suggest you to move on, learn the lesson to avoid repeating the mistake and start using a new account.