I had an automatic payment of 25 bitcoins which went to a different address which is not mine.
..
Please advise!
.. We've immediately halted all payments while we investigate this matter to avoid additional losses. It could very well be that someone has gained unauthorized access to our systems.
I'm investigating the matter now, and will keep you posted as I learn more.
An update on the investigation: The traces left in our logs indicate that the transaction has almost certainly been initiated through the web interface (possibly scripted to guess the PIN numbers). A SQL-Injection is highly unlikely because it would have left a different pattern of traces. In addition, a code re-review did not reveal any open SQL-injection vectors.
The attacker probably did not have access to all accounts, otherwise he could have just as easily taken a lot more while he remained undetected.
In the mean time,
we advise everybody to make sure they are not reusing their passwords for other pools or services at ABCPool; please choose a new & difficult password if that's the case. It's easy to guess usernames based on the MtGox list and the forum accounts, and the Bitcoin community isn't that big.
We'll leave the payout disabled for at least another day until we can introduce additional measures to protect our miners from any unwanted withdrawals. For example, enabling you to permanently lock the payout address will surely help.
Now it's time for me to get some sleep!
. I believe either your account and my account hacked by the same person or ABC system compromised by hacker.
