Bitcoin Forum
December 03, 2016, 04:57:40 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: I suspect GPUMax was compromised and passwords stolen  (Read 5728 times)
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 02, 2012, 11:45:30 AM
 #1

In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.

The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.

Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.

If you have a GPUMax account it is highly likely that it's password has somehow been compromised.

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

Nefario.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
1480741060
Hero Member
*
Offline Offline

Posts: 1480741060

View Profile Personal Message (Offline)

Ignore
1480741060
Reply with quote  #2

1480741060
Report to moderator
1480741060
Hero Member
*
Offline Offline

Posts: 1480741060

View Profile Personal Message (Offline)

Ignore
1480741060
Reply with quote  #2

1480741060
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
imsaguy
General failure and former
VIP
Hero Member
*
Offline Offline

Activity: 574

Don't send me a pm unless you gpg encrypt it.


View Profile WWW
June 02, 2012, 12:30:16 PM
 #2

In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.

The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.

Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.

If you have a GPUMax account it is highly likely that it's password has somehow been compromised.

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

Nefario.

If the people used the same or similar password on 2 sites, isn't it reasonable to expect that they used it on other sites as well?

Coming Soon!™ © imsaguy 2011-2013, All rights reserved.

EIEIO:
https://bitcointalk.org/index.php?topic=60117.0

Shades Minoco Collection Thread: https://bitcointalk.org/index.php?topic=65989
Payment Address: http://btc.to/5r6
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
June 02, 2012, 12:37:35 PM
 #3

Perhaps nothing is compromised, but it is just the operator exploiting his password haul?

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
pirateat40
Avast Ye!
Sr. Member
****
Offline Offline

Activity: 378


"Yes I am a pirate, 200 years too late."


View Profile WWW
June 02, 2012, 12:50:20 PM
 #4

We have a lot of users and I guess since your users have a GPUMAX account with the "same" password it must have been us that leaked them.  If users are using the same password on GLBSE and GPUMAX, you can be pretty sure they're using the same password for other sites as well.

Our users information is hashed and salted using the latest cryptography methods available.  I can assure you, we didn't leak anything.  

On a side note, considering you know who runs GPUMAX, you could have easily sent me PM before spreading more FUD in the market.

Edit:  Our whois lists support@gpumax.com which shows nothing from you or anything related to security. Found it hiding in the spam trap.

-pirate





cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
June 02, 2012, 01:23:00 PM
 #5

In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.

The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.

Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.

If you have a GPUMax account it is highly likely that it's password has somehow been compromised.

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

Nefario.

If the people used the same or similar password on 2 sites, isn't it reasonable to expect that they used it on other sites as well?

The question should be what percentage of GBLSE users also use GPUmax? If this percentage is very low, then Nefario is probably right.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 02, 2012, 01:31:01 PM
 #6

We have a lot of users and I guess since your users have a GPUMAX account with the "same" password it must have been us that leaked them.  If users are using the same password on GLBSE and GPUMAX, you can be pretty sure they're using the same password for other sites as well.

Our users information is hashed and salted using the latest cryptography methods available.  I can assure you, we didn't leak anything.  

On a side note, considering you know who runs GPUMAX, you could have easily sent me PM before spreading more FUD in the market.

Edit:  Our whois lists support@gpumax.com which shows nothing from you or anything related to security.

-pirate

Quote
Message-ID: <4FC78BDE.7080708@gmail.com>
Date: Thu, 31 May 2012 16:18:54 +0100
From: Doctor Nefario <doctor.nefario@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: support@gpumax.com
Subject: your site may have been compromised
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

There is a high chance that gpumax.com, or the database with users
passwords have been compromised.

A GLBSE use has had their account logged into and cleared out, they were
using the same login details they use for GPUMax.

Thought you should know.

Nefario


I was not aware GPUMax was run by you, I've had no interest use or need of the service and still don't, I'm only reporting the information I have available.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
terrytibbs
Hero Member
*****
Offline Offline

Activity: 560



View Profile
June 02, 2012, 01:35:00 PM
 #7

I'll give Dr. Nefario the win for this round.

Round two... fight!
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
June 02, 2012, 01:35:13 PM
 #8

What kind of anti-bot protections does GPUMAX have to prevent automated password retries, if any?

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
pirateat40
Avast Ye!
Sr. Member
****
Offline Offline

Activity: 378


"Yes I am a pirate, 200 years too late."


View Profile WWW
June 02, 2012, 02:05:40 PM
 #9

Confirmed, found your email in spam.  Don't know how you got there but I'm sorry about jumping the gun.

 

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
June 02, 2012, 02:11:50 PM
 #10

Confirmed, found your email in spam.  Don't know how you got there but I'm sorry about jumping the gun.

 

Spam filters have the terrible habit of sending to spam any email that mentions the word "password" in them
And the subject line being "your site may have been compromised" also helped lol

Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 02, 2012, 02:33:15 PM
 #11

Also regarding hashing and salting passwords, the only secure method is to use BCrypt with a sufficient number of rounds.

MD5, SHA256 (or whatever) hashed hundreds of times simply isn't enough(all these hashing also's were meant to be fast), it also depends on what code you are using for this.

Is it a tried and tested library you're using or did you write your own crypto code?

If it's not BCrypt and a well used library you're using then it's certainly not secure, the latest crypto-methods are not the best, the ones that are tried and tested are(think AES, RSA, and in this case BCrypt).

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
BTCurious
Hero Member
*****
Offline Offline

Activity: 714


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
June 02, 2012, 02:57:25 PM
 #12

For the record, did you suspend withdrawals or is it just the hot wallet that's empty? I did a withdrawal (legit, 2-factor'd) but it's not on the blockchain or in my history. It's deducted from my account though. I sent an email to support before I knew about the stolen password issue.

terrytibbs
Hero Member
*****
Offline Offline

Activity: 560



View Profile
June 02, 2012, 02:58:15 PM
 #13

For the record, did you suspend withdrawals or is it just the hot wallet that's empty? I did a withdrawal (legit, 2-factor'd) but it's not on the blockchain or in my history. It's deducted from my account though. I sent an email to support before I knew about the stolen password issue.
It usually takes a while.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
June 02, 2012, 03:03:21 PM
 #14

Also regarding hashing and salting passwords, the only secure method is to use BCrypt with a sufficient number of rounds.

Yeah I am getting tired of this never ending stream of Bitcoin sites claiming they stored passwords properly yet users should change their passwords because their password db was stolen.

If you properly protect your password db and set realistic min password lengths then it shouldn't matter if you are compromised.  The salted passwords are worthless.
Endgameuser
Newbie
*
Offline Offline

Activity: 20


View Profile
June 02, 2012, 03:08:33 PM
 #15

In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.

The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.

Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.

If you have a GPUMax account it is highly likely that it's password has somehow been compromised.

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

Nefario.
How do you know it wasn't the GLBSE database that was compromised? Or some third party website? No offence Nefario but you're really jumping to conclusions here
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
June 02, 2012, 03:08:45 PM
 #16

You really think bcrypt makes a difference when users use the same password all over the place?
And no, bcrypt is not "the only secure method."  There is no secure method.  That kind of thinking leads to compromised applications and systems.

Of course it does.  If ever site properly protected their password list it would have no value.
As far as bcrypt is not secure please explain to me how you would brute force an 8 digit bcrypt (work=12) password?

Pretty simple to keep passwords secure.
a) use bcrypt (period, unless you have a degree in cryptography anything scheme you can "think" of likely has a couple dozen flaws which are already solved by bcrypt)*
b) require 8 digit password
c) check passwords against "common password list"
d) periodically update the worklevel of bcrypt to keep up with Moore's law


* an alternative to bcrypt are PBKDF2 (Password-Based Key Derivation Function) and scrypt.  Unless you have a pressing reason I would still recommend bcrypt.  scrypt is relatively untested and PBKDF2 uses at its heart SHA-2 which we all know is masively parallelizable.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
June 02, 2012, 03:44:37 PM
 #17

Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system? It needs to happen, and the day it does happen is the day many people realize that it really isn't as hard as they thought, and increase their security awareness accordingly. People are stupid, so they need to be forced to make the right choices, and not conditioned to believe that what happens now is "good enough".

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Sukrim
Legendary
*
Offline Offline

Activity: 1848


View Profile
June 02, 2012, 04:42:37 PM
 #18

The killer service that everyone wants and that highly recommends/nearly requires 2 factor auth is for example World of Warcraft + Diablo III.

Even my web banking account doesn't force me to do 2 factor auth... People are just too lazy/stupid for that. Facebook, Google - you name it, they offer 2FA! I have yet to actually see anyone reaching for their mobile phone though when going on FB or gmail.

Back to topic:
What leads to GPUMax just from a handful of GLBSE accounts being emptied? What about other potential big account pools like deepbit?

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
Daily Anarchist
Hero Member
*****
Offline Offline

Activity: 615



View Profile WWW
June 02, 2012, 05:36:59 PM
 #19

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

Discover anarcho-capitalism today!
bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462


I heart thebaron


View Profile
June 02, 2012, 05:44:44 PM
 #20

The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

That is some fine deductive reasoning....completely obvious if you ask me, ALTHOUGH, before pointing your finger, couldn't you have put another 2 minutes of Detective work into formulating your conclusion for all of this ?

Perhaps in common, they also had BTC-E accounts ? BitcoinTalk.org accounts ? Common Email providers ? .....used a wallet address as a password ?


If you have a GPUMax account it is highly likely that it's password has somehow been compromised.
Obviously....

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.
This smells too much like a weakness on YOUR end and an attempt to cover tracks by asking people to change passwords.


If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
Over 3 ? .....as in, 4 accounts ?

This entire thread is horse shit.

Considering the growing pains that the GLBSE has gone through, you should be the last one to point fingers at anyone else.



PS. WTF does this have to do with 'Project Development' ?

Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!