135 BTC Stolen from my Deepbit account!!!!!!!!

[Sebz4n]

Did you contact Leaseweb?

[mewantsbitcoins]

80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).

That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password.
This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices.
Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then?
It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on.
And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency?

[proudhon]

80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).

That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password.
This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices.
Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then?
It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on.
And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency?

Ok, look, I get it.  Any information can make it easier to get your password, even if by 'easier' it's still really, really hard.  Point taken.  The best practice is just not to reveal any relevant personal information at all.  Got it.

[elggawf]

I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly.  Let's hope that was not the case.

Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.  

http://www.startssl.com/

Before you ask, no it's not the same thing as CACert - StartSSL actually has root certificates in most major OSes and browsers (and for what mining pools need, that's plenty).

[Littleshop]

We are not talking about you, but about security practices and how dumb some people are revealing their personal data on public forums without even realizing it

But you are talking about me since I'm the dummy who revealed the personal data that my deepbit password is over 20 characters long.  Now, in a matter of months, if not sooner, any sufficiently crafty scriptkiddie could have access to my deepbit account.

Or you have a well protected 19 character password!   

[cschmitz]

I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed.
(Please note: I can't garantee that I can do such reimbursment in the future).

Your money is safe and i'll give instructions on setting your address again. Please wait.

A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.

big kudos to you for providing such a service

[trentzb]

@MemoryDealers

Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?

[MemoryDealers]

@MemoryDealers

Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?

I was / still do check from my iphone safari browser as well.

[Serge]

https would be nice, with mining software as well web interface over account forms, including log-on's
I'd say its a must for any serious org. dealing with personal data of their users over the web

also it is a good practice to use secure connections while accessing mail and ftp servers too.

[[Tycho]]

@MemoryDealers
Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?

Yes, I asked the victims about this too, but looks like it's not the case. Also all of them used same password for workers and main account. At least one said that he was using same password on his e-mail account and this e-mail account was hacked.

[xf2_org]

Also all of them used same password for workers and main account.

*facepalm*

And people wonder why I am implementing Digest auth for miners....

[[Tycho]]

Your BTC balance is refunded :)

[AntiVigilante]

HB Gary didn't teach the world anything.

[minerX]

Wow.  Can't believe he refunded the BTC!  That's great service.

I was thinking about going solo mining but after this bit of service I'm going to stick with deepbit.

[bournemt]

+1 Tycho

[bitcoindaddy]

FYI - Deepbit has SSL now (HTTPS).

[cablepair]

dude,

the guy who uses that IP (94.75.217.249) address is on irc right now.

irc.linode.com
#linode
his nickname is takamichi

hes not using that IP right now, but he has in the past.... (check google)
iMMUNE
181msjFgfXo1LwFk8S9BLRYETNqD72yHCL

[MemoryDealers]

Interesting!
What can we do?
Maybe someone could try to pose like they are going to do a deal with him to get his real contact information?
Are we sure this is the same guy,  or just someone else using the same proxy service?

[cablepair]

It does not appear to me to be a proxy, it comes from an ISP called LeaseWeb B.V. that is in the U.S. Netherlands, and Germany
they do colocated and dedicated server leasing

it is probably a co-located linux box and probably hacked

its funny beacuse this guy has a chinese irc nick and using IP from the netherlands

Chinese hackers are some of the most active anywhere, and some of the most industrious...

they probably used the same hacked linux box for an irc bouncer that they used to connect to deepbit
to steal your BTC

in any case its very likely the person is not traceable,
but it couldent hurt to contact LeaseWeb B.V.
and let them know that someone used an IP that they own to steal your money
they may do an investigation and they may not, but its the best move you can make right now.

heres the contact info for their U.S. office
+1 703 5522754

LeaseWeb Inc.
9480 Innovation Drive
Suite 1, Manassas
Virginia 20110

glad I could help...
iMMUNE

181msjFgfXo1LwFk8S9BLRYETNqD72yHCL

[fergalish]

3. Back up the wallet.dat file it creates onto your USB stick.  Better yet, do it onto two USB sticks.  It's located at %APPDATA%\Bitcoin\wallet.dat.  Keep both copies safe and secure.

I would just add to encrypt it with a good but easily memorized passphrase, print out the ascii text and store it on your bookshelf.  Take a photo of those pages, and upload to your flickr account. etc.  I would recommend against storing a valuable unencrypted wallet.dat anywhere.