I'd like to finally weigh in and end speculation that there was some sort of lack of security in our system and describe what I believe happened. When I first heard the news of this I knew 100% that diceminer was telling the truth, he was a frequent large bettor on the website and had no reason to lie about this happening and I spent a significant amount of time looking into this. I didn't really want to share this as some information was a bit sensitive but for the sake of transparency I'd like to fully detail what happened.
The situation as stated in the threadOn 2014-09-21 17:28:25 a 99.9999BTC cashout was sent from diceminer 2 to
47c18d5c3448a713608e78abb9569263ef4d780648ccd5dceff04c325d116691 (1PrZQH8L7aU9qyhbgLvm4zNjfoC1wGevAs) This cashout was sent from either the cashout modal or API.
What we knew at the timeUltimately we didn't have any ip logging in place beyond account creation so I couldn't determine what ip hijacked the account but we were able to determine that the cashout was sent from the cashout modal or API there was nothing done server-side. I narrowed it down to either someone guessing/cracking his password or a script containing malware. However, diceminer says he was not running a script at the time so I narrowed it down to some sort of password attack. In terms of primedice password security, we go far beyond standard password hashing to secure accounts, PD couldn't figure out a user's password if we wanted to. It's also important to note that diceminer had completed several other 100 coin deposits and numerous cashouts prior without issue and since the incident there have been a significant increase in 100+ coin deposits/cashouts and no issues.
The InvestigationI was secretive about what had happened as I ended up setting up logs on diceminer's account to try and find out who was accessing it as this was a serious theft. I attempted to bait out the person by putting coins on the account and then blocking it from cashing out, only one person ended up cashing out the "trap" cashout and that was diceminer himself unfortunately. I reloaded the account but there were no recorded cashouts after that. I was hoping to have an ip to tie to the address the coins were sent to and place a bounty for more information or connections but this did not pan out, the thief didn't come back for seconds.
I scrambled for a period of time worrying that our security had somehow been compromised but all other funds remained secure and then I got this message:
Note: the password has since been changed and the account is now blocked from cashing out, I've also ensured that diceminer is not using this password for anything else and gained his permission to post this:It pains me to reveal this, but I hope you don't cut your investigation short after I tell you the following. My login and pass were identical, as I had no intention of ever logging in from another computer.
user: DiceMiner2
pass: diceminer2
After I got this message I was pretty upset this wasn't revealed at the beginning but I understood diceminer's reason for withholding it and continued to investigate regardless.
After this information was provided to us, our team determined that the most likely outcome is someone literally just attempted to guess the password in a few attempts and got lucky or attempted to bruteforce the account after it was spotted on highroller for very basic passwords such as the username or password. I previously said there definitely wasn't a bruteforce but it was definitely possible, we do have an anti-login bruteforce though so unsuccessful logins are counted towards limit which makes this unlikely though. There still isn't much we could do on top of our current system to prevent this other than banning users from setting insecure passwords such as their username, no other highrollers were effected fortunately either due to stronger passwords or a lack of a password.
We value user privacy and try to log as minimally as possible which made it very hard to 100% determine what happened but I can conclude that there was no concerning fault in our system other than a lack of a 2FA option which has since been added. If the user ran a script though then there is no way for us to defend against that, I had some concern that this was the case here as this occurred a day or two after someone started spamming chat with the "PD Exploit" script and his video contained the greasemonkey add-on but I'll trust diceminer's word that no scripts were involved.
I'm sincerely sorry that diceminer lost his coins, I spent the past two weeks trying to log the ip of the person who did this in hopes that we'd have at least something minimal to go off of but was not successful in this attempt. It's extremely unfortunate for diceminer, I was really upset when I found out about this but I will say that I did not take this lightly and spent countless hours each week looking into possibilities and trying to catch the person involved. Ultimately we will do everything we can to provide the best possible security we can, but it is up to the users to set a secure password and enable the now possible 2FA. The simple fact is during this time frame we've had countless of 100+ coin deposits and withdrawals that went through swiftly and without issue and I have no doubt that user balances are secure. If any deposits were ever robbed from a user due to a direct fault in our system I would immediately without question replace it with my own funds, I have no reason to believe this was the case here.
ConclusionI conclude that the 100 coin loss was most likely a result of the weak password matching the username of the account which allowed a thief to successfully commit a simple password guessing attack which could only have been prevented by us banning weak passwords, providing 2fa at the time or by the user setting a more secure password. It's important to note that we had sufficiently strong brute-force/guessing limits in place which is why I feel that this attack was not automated and was simply a random person manually plugging in a few password attempts on the account and getting lucky.
Many of diceminer's coins appear to have been sent here
https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL . Anyone with any information regarding this should shoot me a PM as I'll continue to do what I can to help him recover his lost coins. I thank diceminer for his cooperation and understand throughout all of this, I'll keep my eyes and ears open to see if anyone has any information.
