|
Nefario (OP)
|
 |
June 02, 2012, 11:45:30 AM |
|
In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.
The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.
I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.
Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.
If you have a GPUMax account it is highly likely that it's password has somehow been compromised.
If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.
If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
Nefario.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
|
|
|
The forum was founded in 2009 by Satoshi and Sirius. It replaced a
SourceForge forum.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
imsaguy
General failure and former
VIP
Hero Member
 Offline
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
|
 |
June 02, 2012, 12:30:16 PM |
|
In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.
The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.
I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.
Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.
If you have a GPUMax account it is highly likely that it's password has somehow been compromised.
If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.
If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
Nefario.
If the people used the same or similar password on 2 sites, isn't it reasonable to expect that they used it on other sites as well? |
|
|
|
cunicula
Legendary
Offline
Activity: 1050
Merit: 1003
|
|
June 02, 2012, 12:37:35 PM |
|
Perhaps nothing is compromised, but it is just the operator exploiting his password haul?
|
|
|
|
|
pirateat40
Avast Ye!
Sr. Member
Offline
Activity: 378
Merit: 250
"Yes I am a pirate, 200 years too late."
|
|
June 02, 2012, 12:50:20 PM
Last edit: June 02, 2012, 02:07:21 PM by pirateat40 |
|
We have a lot of users and I guess since your users have a GPUMAX account with the "same" password it must have been us that leaked them. If users are using the same password on GLBSE and GPUMAX, you can be pretty sure they're using the same password for other sites as well. Our users information is hashed and salted using the latest cryptography methods available. I can assure you, we didn't leak anything. On a side note, considering you know who runs GPUMAX, you could have easily sent me PM before spreading more FUD in the market. Edit: Our whois lists support@gpumax.com which shows nothing from you or anything related to security. Found it hiding in the spam trap. -pirate |
|
|
|
cunicula
Legendary
Offline
Activity: 1050
Merit: 1003
|
|
June 02, 2012, 01:23:00 PM |
|
In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.
The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.
I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.
Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.
If you have a GPUMax account it is highly likely that it's password has somehow been compromised.
If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.
If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
Nefario.
If the people used the same or similar password on 2 sites, isn't it reasonable to expect that they used it on other sites as well? The question should be what percentage of GBLSE users also use GPUmax? If this percentage is very low, then Nefario is probably right. |
|
|
|
|
|
Nefario (OP)
|
|
June 02, 2012, 01:31:01 PM |
|
We have a lot of users and I guess since your users have a GPUMAX account with the "same" password it must have been us that leaked them. If users are using the same password on GLBSE and GPUMAX, you can be pretty sure they're using the same password for other sites as well. Our users information is hashed and salted using the latest cryptography methods available. I can assure you, we didn't leak anything. On a side note, considering you know who runs GPUMAX, you could have easily sent me PM before spreading more FUD in the market. Edit: Our whois lists support@gpumax.com which shows nothing from you or anything related to security. -pirate Message-ID: < 4FC78BDE.7080708@gmail.com> Date: Thu, 31 May 2012 16:18:54 +0100 From: Doctor Nefario < doctor.nefario@gmail.com> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: support@gpumax.comSubject: your site may have been compromised X-Enigmail-Version: 1.3.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit There is a high chance that gpumax.com, or the database with users passwords have been compromised. A GLBSE use has had their account logged into and cleared out, they were using the same login details they use for GPUMax. Thought you should know. Nefario I was not aware GPUMax was run by you, I've had no interest use or need of the service and still don't, I'm only reporting the information I have available. |
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
|
terrytibbs
|
|
June 02, 2012, 01:35:00 PM |
|
I'll give Dr. Nefario the win for this round.
Round two... fight!
|
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 02, 2012, 01:35:13 PM |
|
What kind of anti-bot protections does GPUMAX have to prevent automated password retries, if any?
|
|
|
|
pirateat40
Avast Ye!
Sr. Member
Offline
Activity: 378
Merit: 250
"Yes I am a pirate, 200 years too late."
|
|
June 02, 2012, 02:05:40 PM |
|
Confirmed, found your email in spam. Don't know how you got there but I'm sorry about jumping the gun.
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
June 02, 2012, 02:11:50 PM |
|
Confirmed, found your email in spam. Don't know how you got there but I'm sorry about jumping the gun.
Spam filters have the terrible habit of sending to spam any email that mentions the word "password" in them And the subject line being "your site may have been compromised" also helped lol |
|
|
|
|
|
Nefario (OP)
|
|
June 02, 2012, 02:33:15 PM |
|
Also regarding hashing and salting passwords, the only secure method is to use BCrypt with a sufficient number of rounds.
MD5, SHA256 (or whatever) hashed hundreds of times simply isn't enough(all these hashing also's were meant to be fast), it also depends on what code you are using for this.
Is it a tried and tested library you're using or did you write your own crypto code?
If it's not BCrypt and a well used library you're using then it's certainly not secure, the latest crypto-methods are not the best, the ones that are tried and tested are(think AES, RSA, and in this case BCrypt).
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
|
BTCurious
|
|
June 02, 2012, 02:57:25 PM |
|
For the record, did you suspend withdrawals or is it just the hot wallet that's empty? I did a withdrawal (legit, 2-factor'd) but it's not on the blockchain or in my history. It's deducted from my account though. I sent an email to support before I knew about the stolen password issue.
|
|
|
|
|
terrytibbs
|
|
June 02, 2012, 02:58:15 PM |
|
For the record, did you suspend withdrawals or is it just the hot wallet that's empty? I did a withdrawal (legit, 2-factor'd) but it's not on the blockchain or in my history. It's deducted from my account though. I sent an email to support before I knew about the stolen password issue.
It usually takes a while. |
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
June 02, 2012, 03:03:21 PM |
|
Also regarding hashing and salting passwords, the only secure method is to use BCrypt with a sufficient number of rounds.
Yeah I am getting tired of this never ending stream of Bitcoin sites claiming they stored passwords properly yet users should change their passwords because their password db was stolen. If you properly protect your password db and set realistic min password lengths then it shouldn't matter if you are compromised. The salted passwords are worthless. |
|
|
|
|
Endgameuser
Newbie
Offline
Activity: 20
Merit: 0
|
|
June 02, 2012, 03:08:33 PM |
|
In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.
The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.
I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.
Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.
If you have a GPUMax account it is highly likely that it's password has somehow been compromised.
If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.
If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
Nefario.
How do you know it wasn't the GLBSE database that was compromised? Or some third party website? No offence Nefario but you're really jumping to conclusions here |
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
June 02, 2012, 03:08:45 PM |
|
You really think bcrypt makes a difference when users use the same password all over the place?
And no, bcrypt is not "the only secure method." There is no secure method. That kind of thinking leads to compromised applications and systems. Of course it does. If ever site properly protected their password list it would have no value. As far as bcrypt is not secure please explain to me how you would brute force an 8 digit bcrypt (work=12) password? Pretty simple to keep passwords secure. a) use bcrypt (period, unless you have a degree in cryptography anything scheme you can "think" of likely has a couple dozen flaws which are already solved by bcrypt)* b) require 8 digit password c) check passwords against "common password list" d) periodically update the worklevel of bcrypt to keep up with Moore's law * an alternative to bcrypt are PBKDF2 (Password-Based Key Derivation Function) and scrypt. Unless you have a pressing reason I would still recommend bcrypt. scrypt is relatively untested and PBKDF2 uses at its heart SHA-2 which we all know is masively parallelizable. |
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 02, 2012, 03:44:37 PM |
|
Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system? It needs to happen, and the day it does happen is the day many people realize that it really isn't as hard as they thought, and increase their security awareness accordingly. People are stupid, so they need to be forced to make the right choices, and not conditioned to believe that what happens now is "good enough".
|
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1006
|
|
June 02, 2012, 04:42:37 PM |
|
The killer service that everyone wants and that highly recommends/nearly requires 2 factor auth is for example World of Warcraft + Diablo III.
Even my web banking account doesn't force me to do 2 factor auth... People are just too lazy/stupid for that. Facebook, Google - you name it, they offer 2FA! I have yet to actually see anyone reaching for their mobile phone though when going on FB or gmail.
Back to topic:
What leads to GPUMax just from a handful of GLBSE accounts being emptied? What about other potential big account pools like deepbit?
|
|
|
|
|
Daily Anarchist
|
|
June 02, 2012, 05:36:59 PM |
|
I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.
|
|
|
|
bitlane
Internet detective
Sr. Member
Offline
Activity: 462
Merit: 250
I heart thebaron
|
|
June 02, 2012, 05:44:44 PM |
|
The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.
That is some fine deductive reasoning....completely obvious if you ask me, ALTHOUGH, before pointing your finger, couldn't you have put another 2 minutes of Detective work into formulating your conclusion for all of this ? Perhaps in common, they also had BTC-E accounts ? BitcoinTalk.org accounts ? Common Email providers ? .....used a wallet address as a password ? If you have a GPUMax account it is highly likely that it's password has somehow been compromised.
Obviously.... If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.
This smells too much like a weakness on YOUR end and an attempt to cover tracks by asking people to change passwords. If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
Over 3 ? .....as in, 4 accounts ? This entire thread is horse shit. Considering the growing pains that the GLBSE has gone through, you should be the last one to point fingers at anyone else. PS. WTF does this have to do with 'Project Development' ? |
|
|
|
|
