Pages:
Author

Topic: 135 BTC Stolen from my Deepbit account!!!!!!!! - page 3. (Read 29136 times)

member
Activity: 98
Merit: 13
Also all of them used same password for workers and main account.

*facepalm*

And people wonder why I am implementing Digest auth for miners....

hero member
Activity: 742
Merit: 500
@MemoryDealers
Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?
Yes, I asked the victims about this too, but looks like it's not the case. Also all of them used same password for workers and main account. At least one said that he was using same password on his e-mail account and this e-mail account was hacked.
legendary
Activity: 1050
Merit: 1000
https would be nice, with mining software as well web interface over account forms, including log-on's
I'd say its a must for any serious org. dealing with personal data of their users over the web

also it is a good practice to use secure connections while accessing mail and ftp servers too.
vip
Activity: 1052
Merit: 1155
@MemoryDealers

Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?

I was / still do check from my iphone safari browser as well.
sr. member
Activity: 406
Merit: 251
@MemoryDealers

Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?
member
Activity: 98
Merit: 10
I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed.
(Please note: I can't garantee that I can do such reimbursment in the future).

Your money is safe and i'll give instructions on setting your address again. Please wait.

A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.

big kudos to you for providing such a service
legendary
Activity: 1386
Merit: 1004
We are not talking about you, but about security practices and how dumb some people are revealing their personal data on public forums without even realizing it

But you are talking about me since I'm the dummy who revealed the personal data that my deepbit password is over 20 characters long.  Now, in a matter of months, if not sooner, any sufficiently crafty scriptkiddie could have access to my deepbit account.

Or you have a well protected 19 character password!   Grin

sr. member
Activity: 308
Merit: 250
I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly.  Let's hope that was not the case.

Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.  

http://www.startssl.com/

Before you ask, no it's not the same thing as CACert - StartSSL actually has root certificates in most major OSes and browsers (and for what mining pools need, that's plenty).
legendary
Activity: 2198
Merit: 1311
80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).
That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password.
This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices.
Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then?
It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on.
And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency?

Ok, look, I get it.  Any information can make it easier to get your password, even if by 'easier' it's still really, really hard.  Point taken.  The best practice is just not to reveal any relevant personal information at all.  Got it.
full member
Activity: 126
Merit: 101
80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).
That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password.
This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices.
Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then?
It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on.
And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency?
member
Activity: 77
Merit: 10
Did you contact Leaseweb?
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly.  Let's hope that was not the case.

Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.  

It's not clear that it was hacked. It could have been a some packet sniffing quite easily if people use the web account password the same as there miner(s) password (do not do this) since that is getting sent in plain-text by the miner all the time they getwork (i.e. lots). Someone was talking about wrapping up the miners-to-pools comms inside https, ssl or similar, where did that project get to? (It could be useful for other reasons down the line if miners get targeted.)
hero member
Activity: 481
Merit: 500
I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly.  Let's hope that was not the case.

Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.  
legendary
Activity: 2198
Merit: 1311

Quote
4.08162404503791e+125


Hint: scientific notation.

He's learning. Unfortunately, still wrong conclusions

Oh, come on, I wrote it out to make a point.  But, there, I fixed it for you.  What wrong conclusion am I coming to?  Help me not be such a dummy.  I'm sincerely asking for you to help understand what wrong conclusion I'm making.  I don't even mind if you continue to mock me.  Just help me out too.


To be clear, the personal info I revealed is that my password is more than 20 characters long.  I just don't see how telling the world that my password is more than 20 characters long compromises me that much.  You've still got to test a huge set of keyboard characters, including capitalization, for 20+ character passwords and for all anyone knows knows my password could be 40 characters long.  Just for reference, if my password is exactly 21 characters long, and if it uses upper and lower case alphabet characters plus numbers and common symbols, then there are 4.08162404503791e+125 possibilities.

No one is claiming that your 20 character password is easy to crack, for the time being. It has, however, been pointed out that since you revealed that it is 20 characters, it would be easier to crack than if you had said nothing about its length, since the cracker will not have to spend time checking passwords <20 characters. If this seems trivial, remember that passwords nowadays are the key to valuable information about us and that Moore's Observation (Law) means that the cost of technology needed to crack passwords is getting cheaper quickly. The time will come when there will be a low degree of difficulty to crack a 20 character pw--it might come sooner than you think.

Just to be clear, I did not reveal that my password is 20 characters.  I revealed that my password is more than 20 characters.

Edit: mewantsbitcoins, is it that the possibilities answer is wrong?  I took that value from a website that claims to calculate password possibilities, but my own calculation says it should be 3.40562E+41.  Basically, I entered the values backwards.  Is that it?
sr. member
Activity: 476
Merit: 250
Bitcoin addresses of all users were removed by me in order to implement new system for enhanced security.
Additional details will be available shortly.

I found that someone changed bitcoin addresses of some users. I'm not sure how the attacker got passwords, but now you'll have to use e-mail confirmation for changing your wallet address.
I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed.
(Please note: I can't garantee that I can do such reimbursment in the future).

Your money is safe and i'll give instructions on setting your address again. Please wait.

A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.
real class, way to go Tycho!
sr. member
Activity: 294
Merit: 273
You "trust" your employees? Hah.
Yeah, forming real human relationships and then relying on them is for suckers.  Next thing you know he'll be claiming to have "friends" or some other kind of nonsense too.  Wink

Major kudos to [Tycho] for his response to this incident.  Real trustworthiness is proven in a person's response to unplanned-for circumstances.
sr. member
Activity: 280
Merit: 252
Beware of other people using your accounts.

I agree,  but they are both trusted long term employees 5+ years who I trust.


I am guessing that deepbit maybe susceptible to a brute force password hacking attack.
You seem to be able to try as many incorrect passwords on the site in a row as you want.
I hope they put a delay after 3 failed log in attempts.

Does anyone have the contact info for the admin at deepbit?
I am hoping they have some kind of log for whoever logged into my account.

You "trust" your employees? Hah.
newbie
Activity: 9
Merit: 0

To be clear, the personal info I revealed is that my password is more than 20 characters long.  I just don't see how telling the world that my password is more than 20 characters long compromises me that much.  You've still got to test a huge set of keyboard characters, including capitalization, for 20+ character passwords and for all anyone knows knows my password could be 40 characters long.  Just for reference, if my password is exactly 21 characters long, and if it uses upper and lower case alphabet characters plus numbers and common symbols, then there are 408,162,404,503,791,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possibilities.

No one is claiming that your 20 character password is easy to crack, for the time being. It has, however, been pointed out that since you revealed that it is 20 characters, it would be easier to crack than if you had said nothing about its length, since the cracker will not have to spend time checking passwords <20 characters. If this seems trivial, remember that passwords nowadays are the key to valuable information about us and that Moore's Observation (Law) means that the cost of technology needed to crack passwords is getting cheaper quickly. The time will come when there will be a low degree of difficulty to crack a 20 character pw--it might come sooner than you think.
newbie
Activity: 9
Merit: 0

I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed.
(Please note: I can't garantee that I can do such reimbursment in the future).

Your money is safe and i'll give instructions on setting your address again. Please wait.

A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.


If this is accurate, then major props for the reimbursement.
legendary
Activity: 1304
Merit: 1015
Last week was slush's pool that succumbed to an as yet unidentified failure ... and now deepbit gets hacked for a measly 150 BTC.
I'm not sure yet how the attacker got the passwords, but some of his data was not correct.
May be he sniffed the mining traffic and tried to log in with same credentials, may be he used some other kind of exploit.

I'll look into it after finishing with confirmation system.

Password cracking have been used successfully a while back at mtgox until mtgox changed their login process.  Has this been ruled out?
Pages:
Jump to: