Pages:
Author

Topic: 100 BTC was stolen from my Primedice account. Please see thread. - page 2. (Read 15948 times)

legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
Stunna - word of advice - allow usernames and chatnames to be different. A lot of sites offer this so that no one knows what username is actually the account holders. Allow people to have different names between the two for an extra level of security.

KOS.

Will consider offering this for new accounts, ultimately if the user enables 2FA it should act as a pretty significant shield from unwanted access though.
hero member
Activity: 602
Merit: 500
Acc bought - used solely for signature testing
Stunna - word of advice - allow usernames and chatnames to be different. A lot of sites offer this so that no one knows what username is actually the account holders. Allow people to have different names between the two for an extra level of security.

KOS.
hero member
Activity: 672
Merit: 500
http://fuk.io - check it out!
damn 100BTC and such weak passwd..

u asked for it!

but sorry to hear!
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
I'd like to finally weigh in and end speculation that there was some sort of lack of security in our system and describe what I believe happened. When I first heard the news of this I knew 100% that diceminer was telling the truth, he was a frequent large bettor on the website and had no reason to lie about this happening and I spent a significant amount of time looking into this. I didn't really want to share this as some information was a bit sensitive but for the sake of transparency I'd like to fully detail what happened.

The situation as stated in the thread
On 2014-09-21 17:28:25 a 99.9999BTC cashout was sent from diceminer 2 to 47c18d5c3448a713608e78abb9569263ef4d780648ccd5dceff04c325d116691 (1PrZQH8L7aU9qyhbgLvm4zNjfoC1wGevAs) This cashout was sent from either the cashout modal or API.

What we knew at the time
Ultimately we didn't have any ip logging in place beyond account creation so I couldn't determine what ip hijacked the account but we were able to determine that the cashout was sent from the cashout modal or API there was nothing done server-side.  I narrowed it down to either someone guessing/cracking his password or a script containing malware. However, diceminer says he was not running a script at the time so I narrowed it down to some sort of password attack. In terms of primedice password security, we go far beyond standard password hashing to secure accounts, PD couldn't figure out a user's password if we wanted to.  It's also important to note that diceminer had completed several other 100 coin deposits and numerous cashouts prior without issue and since the incident there have been a significant increase in 100+ coin deposits/cashouts and no issues.

The Investigation
I was secretive about what had happened as I ended up setting up logs on diceminer's account to try and find out who was accessing it as this was a serious theft. I attempted to bait out the person by putting coins on the account and then blocking it from cashing out, only one person ended up cashing out the "trap" cashout and that was diceminer himself unfortunately. I reloaded the account but there were no recorded cashouts after that. I was hoping to have an ip to tie to the address the coins were sent to and place a bounty for more information or connections but this did not pan out, the thief didn't come back for seconds.


I scrambled for a period of time worrying that our security had somehow been compromised but all other funds remained secure and then I got this message:

Note: the password has since been changed and the account is now blocked from cashing out, I've also ensured that diceminer is not using this password for anything else and gained his permission to post this:

It pains me to reveal this, but I hope you don't cut your investigation short after I tell you the following. My login and pass were identical, as I had no intention of ever logging in from another computer.

user: DiceMiner2
pass: diceminer2


After I got this message I was pretty upset this wasn't revealed at the beginning but I understood diceminer's reason for withholding it and continued to investigate regardless.

After this information was provided to us, our team determined that the most likely outcome is someone literally just attempted to guess the password in a few attempts and got lucky or attempted to bruteforce the account after it was spotted on highroller for very basic passwords such as the username or password. I previously said there definitely wasn't a bruteforce but it was definitely possible, we do have an anti-login bruteforce though so unsuccessful logins are counted towards limit which makes this unlikely though. There still isn't much we could do on top of our current system to prevent this other than banning users from setting insecure passwords such as their username, no other highrollers were effected fortunately either due to stronger passwords or a lack of a password.

We value user privacy and try to log as minimally as possible which made it very hard to 100% determine what happened but I can conclude that there was no concerning fault in our system other than a lack of a 2FA option which has since been added. If the user ran a script though then there is no way for us to defend against that, I had some concern that this was the case here as this occurred a day or two after someone started spamming chat with the "PD Exploit" script and his video contained the greasemonkey add-on but I'll trust diceminer's word that no scripts were involved.

I'm sincerely sorry that diceminer lost his coins, I spent the past two weeks trying to log the ip of the person who did this in hopes that we'd have at least  something minimal to go off of but was not successful in this attempt. It's extremely unfortunate for diceminer, I was really upset when I found out about this but I will say that I did not take this lightly and spent countless hours each week looking into possibilities and trying to catch the person involved. Ultimately we will do everything we can to provide the best possible security we can, but it is up to the users to set a secure password and enable the now possible 2FA. The simple fact is during this time frame we've had countless of 100+ coin deposits and withdrawals that went through swiftly and without issue and I have no doubt that user balances are secure. If any deposits were ever robbed from a user due to a direct fault in our system I would immediately without question replace it with my own funds, I have no reason to believe this was the case here.

Conclusion
I conclude that the 100 coin loss was most likely  a result of the weak password matching the username of the account which allowed a thief to successfully commit a simple password guessing attack which could only have been prevented by us banning weak passwords, providing 2fa at the time or by the user setting a more secure password. It's important to note that we had sufficiently strong brute-force/guessing limits in place which is why I feel that this attack was not automated and was simply a random person manually plugging in a few password attempts on the account and getting lucky.

Many of diceminer's coins appear to have been sent here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL  . Anyone with any information regarding this should shoot me a PM as I'll continue to do what I can to help him recover his lost coins. I thank diceminer for his cooperation and understand throughout all of this, I'll keep my eyes and ears open to see if anyone has any information.


newbie
Activity: 14
Merit: 0
OP here-
I appreciate the support from people that feel my pain from this loss.
Stunna and I are still talking behind the scenes, but I am ready for him to post here.
member
Activity: 70
Merit: 10
★Bitin.io★ - Instant Exchange
An article of note that was published today.  Relevant since DiceMiner said he uses Mac.

http://finance.yahoo.com/news/hackers-found-flaw-macs-using-121808264.html

http://news.drweb.com/show/?i=5977&c=5&lng=en&p=0
if he uses mac, then thats probably how the attacker got to his profile
and who deposits 100 bitcoins with a weak password?
full member
Activity: 210
Merit: 100
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Some of the information in the post I've typed up is somewhat sensitive with regards to diceminer, I've messaged diceminer to let him know prior. Once he views my PM's I will post the story in full detail.

This should be interesting Undecided
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
Some of the information in the post I've typed up is somewhat sensitive with regards to diceminer, I've messaged diceminer to let him know prior. Once he views my PM's I will post the story in full detail.
legendary
Activity: 2044
Merit: 1115
★777Coin.com★ Fun BTC Casino!
I'm unfamiliar with how blockchain is exploitable. I was under the impression it was safe. Can you elaborate at all on what I need to be wary of?

I heard that they once turned off 2FA on a charity's account when a hacker asked them to. The hacker then was able to withdraw the balance.

I could probably find a report about it if you like. You so could you. Smiley

Edit: http://www.fr33aid.com/1511/fr33-aid-bitcoins-stolen/

So really, it's about a company that had poor procedures regarding 2FA. It seems like the same risk as a financial institution that doesn't verify the identity of someone making a withdrawal request, except in that instance the bank is liable to cover the losses.
hero member
Activity: 924
Merit: 1000
Interesting information what with Apple users saying that their computers are virus / malware free with this discovery you have to be careful whatever os your using... Feel for you 100btc is a lot to go missing  Shocked

All I can say is there is no issue with the security of primedice, I'm hoping OP will consider editing his post within the next few days with the full story of what happened. I'm not going to share what happened without permission but once he explains you will understand why I've chosen not to.

There are users who choose to store hundreds of coins on their account at one time and have had zero issues, if you have any fear just enable 2FA and as long as your PC is secure you should be good.


Hi, OP here.
Stunna has been incredibly helpful in the situation so far. The current theory is that a thief must have compromised my account by brute-forcing my weak password. Since there would be no way for anyone on the outside to know exactly when I had been online at PD (since I did not make any bets or make my presence known in the chatroom on the day of the theft), they must have been monitoring the blockchain for large deposits from my personal wallet to my PD address somehow. Possibly through the use of some script? I have no clue...  Sad

I have to hand it to the thief for having enough technical know-how and impeccable timing to pull off the withdrawal in the incredibly small (literally 2 minute) window between confirmation and my first attempted bet.

If anyone out there has seen this type of theft before, PLEASE LET US KNOW any details you have, as this is the first time I have seen anything like it.

Now that 2FA is available, hopefully this will be the last time.

Thanks,
DiceMiner


Got to hand it to you Diceminer, you have handled the situation with the utmost respect. With that type of money on the line, I think I would have been running around screaming. You obviously are a very level headed individual. Sorry you lost so much coin, I hope that we all have learned a valuable lesson here. Always use 2Fa and use very long difficult  passwords. Also, it may be wise to only put on the site that you are wiling to lose, i guess you did this, because you are gambling, lol.

Kudos to you and Stunna..
legendary
Activity: 2940
Merit: 1333
I'm unfamiliar with how blockchain is exploitable. I was under the impression it was safe. Can you elaborate at all on what I need to be wary of?

I heard that they once turned off 2FA on a charity's account when a hacker asked them to. The hacker then was able to withdraw the balance.

I could probably find a report about it if you like. You so could you. Smiley

Edit: http://www.fr33aid.com/1511/fr33-aid-bitcoins-stolen/
legendary
Activity: 2044
Merit: 1115
★777Coin.com★ Fun BTC Casino!
there are a lot of known exploits on blockchain therefor I always make new addresses and have pretty strict measures on my accounts as I myself have been a victim of blockchains exploits (15BTC).

I'm unfamiliar with how blockchain is exploitable. I was under the impression it was safe. Can you elaborate at all on what I need to be wary of?
legendary
Activity: 2940
Merit: 1333
ah so it was short term. the nthis is even stranger case. why would malware steal from casino not his wallet

I don't know how the theft happened, but if I had to guess I would say he used the same password on multiple sites. One of the sites was 'bad', logged his username and password, and tried it on a bunch of other sites to see if he used the same username/password combination anywhere else.

It's relatively hard to get people to install malware on their computer. But if they voluntarily sign up to your site using their usual username and password, you can then use that username and password on their behalf everywhere else.
hero member
Activity: 672
Merit: 500
http://fuk.io - check it out!
who keeps 100 BTC in casino account.......

He deposited 100 BTC with a view to making a few bets, maybe getting up to 120 BTC, and withdrawing.

He already said that he *doesn't* keep a balance in a casino account. He deposits, plays, and withdraws straight away.

Having said that, people do. One guy used to keep around 500 BTC in his Just-Dice account all the time. He never invested it - he just used the place like his web wallet. Probably not a good idea, but it worked out OK for him.

ah so it was short term. the nthis is even stranger case. why would malware steal from casino not his wallet
legendary
Activity: 2940
Merit: 1333
who keeps 100 BTC in casino account.......

He deposited 100 BTC with a view to making a few bets, maybe getting up to 120 BTC, and withdrawing.

He already said that he *doesn't* keep a balance in a casino account. He deposits, plays, and withdraws straight away.

Having said that, people do. One guy used to keep around 500 BTC in his Just-Dice account all the time. He never invested it - he just used the place like his web wallet. Probably not a good idea, but it worked out OK for him.
hero member
Activity: 672
Merit: 500
http://fuk.io - check it out!
who keeps 100 BTC in casino account.......
legendary
Activity: 2940
Merit: 1333
Full story... When?

I'm not sure which timezone Stunna is in, but here's what he wrote:

I'll post the full story tomorrow.

Edit: that was about 29 hours ago, so it's possible "tomorrow" runs for another 19 hours.
hero member
Activity: 504
Merit: 500
sucker got hacked and screwed --Toad
This site is scum and they will say its your own problem just go fuck yourself.
Stunna fuckin scammer and this not the first time.
Go away, die in a virtual hole, whatever.
hero member
Activity: 504
Merit: 500
sucker got hacked and screwed --Toad
Full story... When?
Pages:
Jump to: