Bitcoin Forum
December 06, 2016, 02:28:08 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 [35] 36 37 38 39 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 145753 times)
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 24, 2012, 12:39:18 AM
 #681


If you're a criminal organization, then yes, it would be advisable.

Nay, if you got any common sense, you talk to your lawyers, period.

1481034488
Hero Member
*
Offline Offline

Posts: 1481034488

View Profile Personal Message (Offline)

Ignore
1481034488
Reply with quote  #2

1481034488
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481034488
Hero Member
*
Offline Offline

Posts: 1481034488

View Profile Personal Message (Offline)

Ignore
1481034488
Reply with quote  #2

1481034488
Report to moderator
1481034488
Hero Member
*
Offline Offline

Posts: 1481034488

View Profile Personal Message (Offline)

Ignore
1481034488
Reply with quote  #2

1481034488
Report to moderator
1481034488
Hero Member
*
Offline Offline

Posts: 1481034488

View Profile Personal Message (Offline)

Ignore
1481034488
Reply with quote  #2

1481034488
Report to moderator
ChrisKoss
Full Member
***
Offline Offline

Activity: 169



View Profile WWW
July 24, 2012, 12:41:19 AM
 #682

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!


 Shocked

I am a consultant providing services to CoinLab, Inc.
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 24, 2012, 12:44:38 AM
 #683


Was the 12 July master password change after the hack (hack was announced on 13 July)?

It's concerning that anyone would revert the password.


It should be. I can't answer with definite answers because I didn't change it.

It's concerning because an email account with admin rights of the entire Google Apps domain and also the domain name itself is stored in LastPass. The hacker can easily remove any critical email notifications by changing the settings of the mailing list info@bitcoinica.com.

Was the 12 July password change done by one of the principals after the hack or by the hacker?  (The 0.0.0.0 IP would make sense if the LastPass account owners got LastPass to revert a password which had been changed without authorisation).  

Honestly, at this point the only smart thing to assume is that the credentials for absolutely everything have been compromised and to lock everything down.

Was LastPass Premium being used, or the free version?

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
July 24, 2012, 12:59:37 AM
 #684

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

From my understanding, it doesn't matter if the hacker didn't log into a LastPass account. That's because API key is the same password for a MtGox account.

No. The Mt. Gox account is stored in the LastPass. It's a different password.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 24, 2012, 01:07:47 AM
 #685

Quote
That's because API key is the same password for a MtGox account.

My understanding is that the API key was also the password to the LastPass account - which contained the password for the MtGox account, among other things.

It's possible sensitive information other than passwords was stored in the LastPass account, too.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
koin
Legendary
*
Offline Offline

Activity: 874


View Profile
July 24, 2012, 01:14:48 AM
 #686

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

you resigned from the company yet continue to access company accounts?
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 24, 2012, 01:16:36 AM
 #687

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

you resigned from the company yet continue to access company accounts?


 Lips sealed


repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 24, 2012, 01:21:43 AM
 #688

How many Bitcoiners are now trying to log into the LastPass account using the API key?

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 24, 2012, 01:22:10 AM
 #689

How many Bitcoiners are now trying to log into the LastPass account using the API key?

All of them ?

stochastic
Hero Member
*****
Offline Offline

Activity: 532


View Profile
July 24, 2012, 01:28:37 AM
 #690

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

you resigned from the company yet continue to access company accounts?


 Lips sealed



A clue?

Introducing constraints to the economy only serves to limit what can be economical.
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 24, 2012, 01:35:45 AM
 #691

I don't understand why the LastPass account wasn't nuked as soon as it became known it was compromised.  All of the passwords it contained should have been changed anyway and the new passwords stored somewhere totally unrelated to the LastPass account.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
July 24, 2012, 01:36:58 AM
 #692

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

you resigned from the company yet continue to access company accounts?


The username and password are public knowledge. I tried it for fun. I didn't see any records.

EDIT: I resigned from the company and they still charge my credit cards. And they haven't deleted my email access (and I can't delete myself).  They haven't even responded to the resignation.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 24, 2012, 02:56:31 AM
 #693

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

you resigned from the company yet continue to access company accounts?


The username and password are public knowledge. I tried it for fun. I didn't see any records.

EDIT: I resigned from the company and they still charge my credit cards. And they haven't deleted my email access (and I can't delete myself).  They haven't even responded to the resignation.

What the actual fuck.

LoupGaroux
Sr. Member
****
Offline Offline

Activity: 420



View Profile
July 24, 2012, 03:34:38 AM
 #694

So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?

Believe that?

And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.

Believe that?

And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?

Believe that?

And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?

Believe that?

Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.

Or we can call nonsense when we see it. You insult us by throwing out the same bullshit story. You stole the money.

54Gh/s bASIC Bitcoin Mining Devices
Pre-Order Yours Today!     
Only $1069.99 ! @ http://www.BitcoinASIC.com


Look^^ I'm selling my soul too!
stochastic
Hero Member
*****
Offline Offline

Activity: 532


View Profile
July 24, 2012, 03:38:13 AM
 #695

So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?

Believe that?

And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.

Believe that?

And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?

Believe that?

And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?

Believe that?

Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.

Or we can call nonsense when we see it. You insult us by throwing pout the same bullshit story. You stole the money.

With you.

Why do many stores ask to see their customers receipts before leaving the store?  So they can check their employees things because businesses lose more money to employee theft than customers.

Introducing constraints to the economy only serves to limit what can be economical.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 24, 2012, 03:45:17 AM
 #696

So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?

Believe that?

And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.

Believe that?

And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?

Believe that?

And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?

Believe that?

Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.

Or we can call nonsense when we see it. You insult us by throwing pout the same bullshit story. You stole the money.
I'm not going to agree or disagree, but I will note down a few facts that you might not have been aware of.

First, the API key WAS the password for LastPass, and apparently still is (!).
Second, the withdrawal was done through the web interface and not via the API, because the MtGox password was stored in LastPass, which had it's password supposedly compromised.
Third, the supposed breach did not occur until after the source code of Bitcoinica V1 was released.
Fourth, the source code contained the API key (which was used as the LasTPass master password as per point 1).

The conclusion being drawn is that the source release with the password caused the breach.
In my opinion, this is believable, although extremely stupid (redact the source release, derp) and irresponsible (releasing something whose ownership is still disputed? Mega derp.)

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Clipse
Hero Member
*****
Offline Offline

Activity: 504


View Profile
July 24, 2012, 04:08:11 AM
 #697

Here is my ultimate nail in this obvious scam.

Bitcoinica is now managed by Intersango guys but they somehow decide to move the refundable coins/USD over to their biggest competitor MTGOX.

Why didnt they move the funds over to their own exchange for safekeeping, is this perhaps their way of distorting progress by getting another exchange involved in this mess, hell only knows.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 24, 2012, 04:15:29 AM
 #698

Here is my ultimate nail in this obvious scam.

Bitcoinica is now managed by Intersango guys but they somehow decide to move the refundable coins/USD over to their biggest competitor MTGOX.

Why didnt they move the funds over to their own exchange for safekeeping, is this perhaps their way of distorting progress by getting another exchange involved in this mess, hell only knows.
They wouldnt want to tarnish the security record of intersango of course by stealing from their own exchange  Smiley

RicePicker
Full Member
***
Offline Offline

Activity: 215


RicePicker


View Profile
July 24, 2012, 04:17:15 AM
 #699

So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?

Believe that?

And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.

Believe that?

And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?

Believe that?

And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?

Believe that?

Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.

Or we can call nonsense when we see it. You insult us by throwing pout the same bullshit story. You stole the money.

The problem of you stating that zhoutong stole the money is that he was the one proposing the operators of bitcoinica to return the funds immediately after the hacking. Even if zhoutong stole the money, you have to blame who ever was in charge of the claim process of being so hesitant and delaying for so long. Just because everyone is frustrated about not receiving their funds because of bitcoinica's bullshit owners and their lack of updates, stop blaming people that are actually communicating with us. The only people I am blaming for this hack is the hacker and everyone on the intersango team for  their incompetence and the suspects for the stolen funds.      

Everyone is entitled to their own opinion. It's just that yours is stupid! =D
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 24, 2012, 04:19:49 AM
 #700

They wouldnt want to tarnish the security record of intersango of course by stealing from their own exchange  Smiley

Don't matter. Their reputation is ruined.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 [35] 36 37 38 39 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!