Author

Topic: Bitcointalk history of hacks and vandalism. (Read 1195 times)

brand new
Activity: 0
Merit: 0
April 20, 2020, 02:58:33 AM
#16
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
Before reading your post I didn't know anything about how the 2015 hack occurred. It shows that the forum itself is very secure but if the service provider gets phished into resetting the root password that all gets bypassed. The problem with individual accounts getting hacked is that they are inactive accounts so they are unaware that they need to change their passwords. I would guess all the easy passwords were broken a long time ago and hackers are cracking some of the more difficult ones now.

The Pharmacist was spot on when he said:

I have a feeling--and I'm probably stating the obvious here--that a lot of hacked bitcointalk accounts have been sold outside of this forum, because I've seen numerous old-time accounts that suddenly woke up in October 2017, changed their writing style, and started posting in a typical bounty hunter fashion.  Shitposts in the Altcoin Discussion section, mostly.  I tagged a number of them one night after doing some "research" in that section.

Around 2017 the list from the 2015 hack appeared on the darknet. I think a lot of dormant legacy accounts were sold then.

An interesting article that is really attractive to read and know the history of this forum about. Many thanks for such an excursion into the history. I think this will be useful to all forum participants.

I knew the forum had been hacked a couple of times but didn't know the details. It was only when I made a general timeline of events in crypto history that I discovered that the hacks / vandalism were quite interesting. Doing this post made me realise there was a strong connection between Bitcointalk and Mark Karpeles which led me to the next project : Bitcointalk history of MtGox and how a Bitcointalk post caught the MtGox hacker.
jr. member
Activity: 672
Merit: 1
An interesting article that is really attractive to read and know the history of this forum about. Many thanks for such an excursion into the history. I think this will be useful to all forum participants.
hero member
Activity: 2576
Merit: 883
Freebitco.in Support https://bit.ly/2I9BVS2
A site run remotely from multiple locations is hard to secure. I'd say the site itself is reasonably secure. Individual accounts are a different story. I'm sure password1 and 1234 has been used on here.

Before reading your post I didn't know anything about how the 2015 hack occurred. It shows that the forum itself is very secure but if the service provider gets phished into resetting the root password that all gets bypassed. The problem with individual accounts getting hacked is that they are inactive accounts so they are unaware that they need to change their passwords. I would guess all the easy passwords were broken a long time ago and hackers are cracking some of the more difficult ones now.
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
I did not knew that this forum has faced 3 hacks in the past. This is really something to worry about as out information is also disclosed to the hackers. Was the forum able to catch any hacker in any of the cases above ?

Hackers are very hard to catch. I don't think any of the hackers have been caught for the forum hacks.

I have a feeling--and I'm probably stating the obvious here--that a lot of hacked bitcointalk accounts have been sold outside of this forum, because I've seen numerous old-time accounts that suddenly woke up in October 2017, changed their writing style, and started posting in a typical bounty hunter fashion.  Shitposts in the Altcoin Discussion section, mostly.  I tagged a number of them one night after doing some "research" in that section.

This is definitely a good write up, OP.  I don't know much about hacking so I won't criticize the security of the site--but it would appear to be pretty lax.  But I'm sure a lot of that has to do with people not having strong passwords and so forth.  

A site run remotely from multiple locations is hard to secure. I'd say the site itself is reasonably secure. Individual accounts are a different story. I'm sure password1 and 1234 has been used on here.

Why CosbyCoin is not on the coinmarketcap? I have heard of it for the first time but want it already!

The http://www.buttcoinfoundation.org/tag/cosbycoin/  might have more info about it. Smiley

https://bitcointalksearch.org/topic/m.558903 I think it briefly existed.

Is there any chance to hack bitcointalk forum again? But not type hack like above. What I mean is like some hacker will make an anonymous account which immediately has legendary rank or another else maybe? Or someone can manipulate merits system? If it comes to be true, I'm afraid they can't be detected. As we know too many accounts before merits system is implemented, only use their activity can rank up and earn free merit without getting sMerit. Though they earn sMerit the proof of merit summary will disappear after 120 days.

There is always a chance of a hack. But there are many eyes watching this forum. Lessons learned from previous hacks and Vod has an analytics site http://dev.martinlawrence.ca/bpip/ that logs and watches bitcointalk.org. A lot of info is archived as well. A new instant legendary account is unlikely because it will be accompanied with a no post history. Your posts, unless deleted stay forever.
member
Activity: 280
Merit: 60
Is there any chance to hack bitcointalk forum again? But not type hack like above. What I mean is like some hacker will make an anonymous account which immediately has legendary rank or another else maybe? Or someone can manipulate merits system? If it comes to be true, I'm afraid they can't be detected. As we know too many accounts before merits system is implemented, only use their activity can rank up and earn free merit without getting sMerit. Though they earn sMerit the proof of merit summary will disappear after 120 days.
legendary
Activity: 3556
Merit: 7011
Top Crypto Casino
I have a feeling--and I'm probably stating the obvious here--that a lot of hacked bitcointalk accounts have been sold outside of this forum, because I've seen numerous old-time accounts that suddenly woke up in October 2017, changed their writing style, and started posting in a typical bounty hunter fashion.  Shitposts in the Altcoin Discussion section, mostly.  I tagged a number of them one night after doing some "research" in that section.

This is definitely a good write up, OP.  I don't know much about hacking so I won't criticize the security of the site--but it would appear to be pretty lax.  But I'm sure a lot of that has to do with people not having strong passwords and so forth. 
full member
Activity: 1470
Merit: 108
I did not knew that this forum has faced 3 hacks in the past. This is really something to worry about as out information is also disclosed to the hackers. Was the forum able to catch any hacker in any of the cases above ?
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
Possibly they are related you are right that the 2015 one was certainly for malicious gain and the other two were more of a joke. I think that's because the 2015 actually gained access to the database where the others were injecting code.

I was logged in when the 2013 one happened, just sat there thinking WTF is this? Then it just seemed quite funny. The 2015 one I wasn't using the forum at the time but it was the beginning of receiving phishing emails at the address exposed then.


That is so cool that you experienced that. Being part of historic events. I wish I had taken more notice of crypto in the earlier days. I didn't look at crypto till the start of 2016. Crypto is a wild ride.

Theymos sheds light on the second hack in his announcement in 2013. The second hack is definitely related to the first.

Quote from: theymos
I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.
hero member
Activity: 2576
Merit: 883
Freebitco.in Support https://bit.ly/2I9BVS2
Possibly they are related you are right that the 2015 one was certainly for malicious gain and the other two were more of a joke. I think that's because the 2015 actually gained access to the database where the others were injecting code.

I was logged in when the 2013 one happened, just sat there thinking WTF is this? Then it just seemed quite funny. The 2015 one I wasn't using the forum at the time but it was the beginning of receiving phishing emails at the address exposed then.
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
I was going over old posts and archived material for a history of bitcointalk post and thought the earlier hacks were amusing (Although I'm sure Theymos was not amused).

I'm sure the first two events were probably related and mischievous. The second hack was probably related to silk road - it could be purely co-incidental.. It appears that the last hack was more of a malicious hack based on greed. It suppose it is the risk of running a site with lots of IT savvy users. Someone will try to hack.


We were due for one in 2017. Maybe it just comes in threes.

Possibly they are related you are right that the 2015 one was certainly for malicious gain and the other two were more of a joke. I think that's because the 2015 actually gained access to the database where the others were injecting code.

Found some fascinating trivia.  After the 2011 hack Mark Karpeles was hosting the server !
hero member
Activity: 776
Merit: 557
I was going over old posts and archived material for a history of bitcointalk post and thought the earlier hacks were amusing (Although I'm sure Theymos was not amused).

I'm sure the first two events were probably related and mischievous. The second hack was probably related to silk road - it could be purely co-incidental.. It appears that the last hack was more of a malicious hack based on greed. It suppose it is the risk of running a site with lots of IT savvy users. Someone will try to hack.


We were due for one in 2017. Maybe it just comes in threes.

Possibly they are related you are right that the 2015 one was certainly for malicious gain and the other two were more of a joke. I think that's because the 2015 actually gained access to the database where the others were injecting code.
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
Nice write up. Looks like we are overdue for another hack  Grin

I'm not sure the Silk Road and the other things were related but interesting to know that they were around similar time frames at least.



I was going over old posts and archived material for a history of bitcointalk post and thought the earlier hacks were amusing (Although I'm sure Theymos was not amused).

I'm sure the first two events were probably related and mischievous. The second hack was probably related to silk road - it could be purely co-incidental.. It appears that the last hack was more of a malicious hack based on greed. It suppose it is the risk of running a site with lots of IT savvy users. Someone will try to hack.


We were due for one in 2017. Maybe it just comes in threes.
hero member
Activity: 776
Merit: 557
Nice write up. Looks like we are overdue for another hack  Grin

I'm not sure the Silk Road and the other things were related but interesting to know that they were around similar time frames at least.

legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
Bitcointalk was hacked in [2011] , [2013] and [2015]

Previously the forum was hosted on sourceforge http://bitcoin.sourceforge.net/boards/index.php which is no longer reachable.
Founded by Satoshi Nakamoto. The domain name was owned by Sirius but is now controlled by Cøbra. The forum is administrated by theymos .
The forum was also reachable under forum.bitcoin.org for some time before it moved to bitcointalk.org IIRC.
The "name" of the forum is actually "Bitcoin Forum", not "Bitcointalk" (see upper left corner of this page).
Bitcointalk has cloudflare protection so finding out the current hosting provider is difficult.
https://bitcointalksearch.org/topic/m.34255007

September 09, 2011,  Bitcointalk.org Hacked by SomethingAwful.
Bitcointalk was hacked and defaced. "My browser's been Cosjacked!" Bill Cosby images were displayed.

Hahaha this is pretty funny. Nothing about Bitcoin is safe these days.

Holy shit Cosby is everywhere!
https://bitcointalksearch.org/topic/m.517910

EDIT: To disable the Cosby Hack use AdBlock and block "bitcointalk.org/Smileys/default/final.js"  -  Thanks ShadowOfHarbringer and TechCF <3
https://bitcointalksearch.org/topic/bitcointalkorg-hacked-by-somethingawful-pics-42549

On September 3, an attacker used a 0-day exploit in SMF to gain administrative access to the forum. This went unnoticed until September 9, when he inserted some annoying JavaScript into all pages. The forum was at this point shut down.

The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts.

Passwords

It is not known for sure that the attacker copied any password hashes, but it should be assumed that he did.

SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.

The password you used on the forum should be assumed to already be compromised if your password had:
- Less than 16 characters, numbers only
- Less than 12 characters, lowercase only
- Less than 11 characters, lowercase+numeric
- Less than 10 characters, lowercase+uppercase
- Less than 9 characters, lowercase+uppercase+numbers
- Less than 8 characters, all standard characters

If you have only 2-3 more characters than what I listed above, then you should assume that your password will be compromised at some point in the future.

No matter how strong your password was, it is a good idea to change your password here and wherever else you used it.

Database state

Backups exist of the previous database state, but it has been decided to continue with the latest state to avoid losing thousands of posts. If you notice that any posts are missing or changed, let me know.

Also, it's possible that the attacker took control of some accounts. If you are being impersonated, email me and I'll reset your password to its previous value.

More attack info

The attacker first paid for a donator account so he could change his displayed username. The displayed username field is not escaped properly, so he was able to inject SQL from there. He took over Satoshi's account, and from Satoshi's administrative interface he was able to inject arbitrary PHP code by modifying the style template.

The attacker probably used these user accounts, though his level of access would allow him to forge this data:
brad
EconomicOracle
Economic Oracle
SwimsuitPaul
BitcoinsInMyLoins

He probably used these IP addresses:
74.242.208.159
74.242.205.69
152.14.219.223
152.14.247.62
74.242.205.161
74.242.206.245
74.242.208.159
74.242.235.132
98.69.157.69
98.69.160.187
41.125.48.26
150.206.212.72

(Thanks to Mark Karpeles for finding most of this info.)

Change of hosting

Mark Karpeles is now hosting the forum's server. The forum is still owned by Sirius, as it has always been. There will be no policy changes.

Signed version of this message

Two months later Bitcointalk was looking for tenders for new forum software.
November 02, 2011, Looking for someone to create/modify software for this forum and 5500+ BTC raised for the project.
https://bitcointalksearch.org/topic/looking-for-someone-to-createmodify-software-for-this-forum-5500-btc-50617


October 02, 2013. Ross Ulbricht arrested, FBI Seize Deep Web Marketplace Silk Road
https://bitcointalksearch.org/topic/2013-10-02-fbi-seize-deep-web-marketplace-silk-road-arrest-owner-306338
https://bitcointalksearch.org/topic/silk-road-trail-of-1132989btc-310600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here's what we think happened:

8-14 hours ago, an attacker used a flaw in the forum's AnonymousSpeech registrar to change the forum's DNS to point to 108.162.197.161 (exact details unknown). Sirius noticed this 8 hours ago and immediately transferred bitcointalk.org to a different registrar. However, such changes take about 24 hours to propagate.

Because the HTTPS protocol is pretty terrible, this alone could have allowed the attacker to intercept and modify encrypted forum transmissions, allowing them to see passwords sent during login, authentication cookies, PMs, etc. Your password only could have been intercepted if you actually entered it while the forum was affected. I invalidated all security codes, so you're not at risk of having your account stolen if you logged in using the "remember me" feature without actually entering your password.

For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Simultaniously, the forum has been the target of a massive DDoS attack. These two events are probably related, though I'm not yet sure why an attacker would do both of these things at once.
-----BEGIN PGP SIGNATURE-----

A youtube video was made of the result of the hack:
https://www.youtube.com/watch?v=0FqIxh6Q-20





On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.

Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.

The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.

How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.

The future

The forum is now on a new server inside of a virtual machine with many extra security precautions which will hopefully provide some security in depth in case there are more exploits or backdoors. Also, I have disabled much SMF functionality to provide less attack surface. In particular, non-default themes are disabled for now.

I'd like to publish the forum's current code so that it can be carefully reviewed and the disabled features can be re-enabled. SMF 1.x's license prohibits publishing the code, though, so I will have to either upgrade to 2.x, get a special copyright exception from SMF, or do the auditing myself. During this investigation, a few security disadvantages to 2.x were brought to my attention, so I don't know whether I want to upgrade if I can help it. (1.x is still supported by SMF.)

Special thanks to these people for their assistance in dealing with this issue:
- warren
- Private Internet Access
- nerta
- Joshua Rogers
- chaoztc
- phantomcircuit
- jpcaissy
- bluepostit
- All others who helped

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

As of October 7 2013, the Bitcoin Forum has been restored to bitcointalk.org.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlJSRF8ACgkQxlVWk9q1keemWgD/WcvrsikPq6AHpEo20KGmQInp
FlyAWNbX74z65KJrsUEBAIcCzYnHZ7gAs49mlhSq1fR9o2LZCETV3BJveCTu7lAi
=b9Xb
-----END PGP SIGNATURE-----


November 06, 2014, Anyone else get an email trying to sell you bitcointalk.org and btc-e.com dumps?
I received this email yesterday:

Code:
From: [email protected]
Reply to: [email protected]

import database.sql c99 wso
Bitcointalk.org database.txt BTC-E Bitcoin dump.sql 64.9 MB Size WE SELL FULL DATABASE DUMP OF Bitcointalk.org + BTC-E.COM 2014  YES
SELL FULL DATABASE DUMP.SQL OF Bitcointalk.org + BTC-E.COM

HERE IS LIST OF WHAT WE HAVE FOR YOU.

Maybe You Ask For Why You Must Buy Dump.sql include Mails And Details Personale Users?
YOU ASK FOR WHAT?

1. Affiliate/invites
Casino/Poker/Forex Etc...

2. You Get Mails Very Big Size To Your Bussines Promotions RESULTABLE leads Target 100% Bitcoins Mails in Sql

3. You Be Make Nice Profit % Yes

you be earn multi profits
this very quality material for stable more biz to you


OVER 4+ GB OF DATA TOTAL: EMAILS, PASSWORDS, PINS, ETC FOR ALL USERS.
FULL .SQL FILE DUMP FORMAT
LEAKED BTC-E SOURCE CODE    
FULL DATABASE SQL DUMP

BitcoinPayment>Email Me->Give You TxT/SQL/Zip

if you interest buy

i calculate for you specific price
who interest make payment and buy for me I AM SURE 100%
THIS IN PRACTIC MY SKILL AND PROOFS IF YOU DREAM ABOUT THIS I OWNER THIS IN THIS MOMENT YES

OTHER BITCOIN EXCHANGE

BTC-E.COM
FULL DATABASE DUMP. EMAILS, PASSWORDS, USERS (850.000+) - 16-10-2014 *FRESH*
FULL .SQL FILE DUMP FORMAT

WE HACKED BTC-E; AND ASWELL WITH TRADINGS.


Bitcoin Address : 1shopAH6JmxABLCbbG4wNAUZVh3ZjtGfF

you interest?
Ok if you make payment i contact you and be help you
i sent back to you memo my jabber/icq details to chat individual to you if you be my client make copy sql to you

IF I SAY I MAKE
THIS MY PRINCIPIAL POSITION
I RUSSIAN
I POSITIVE IF YOU BE MY CLIENT

----------------------------------
" BTC-E.COM"
Prices (Bitcoin):

0.3 BTC - FULL USERDUMP ON BTC-E.COM (850.000+ USERLIST)
- Full dump on Emails, PINS, Usernames and best of all Passwords.

Price BTC - FULLY FUNCTIONALLY BTC-E.COM SOURCECODE + BTC-E DUMP (USERS,PASSWORDS,EMAILS,PINS)
----------------------------------
" BitcoinTalk.org "
Prices (Bitcoin):

0.15 BTC - FULL USERDUMP ON BitcoinTalk.org  (374602 Members+ USERLIST)
- Full dump.sql on Emails, Usernames and best of all Passwords.

Price BTC - BitcoinTalk.org  SOURCECODE
- If you want to buy full source code. Price is 0.15 BTC.

After You Make Payment, send us an e-mail or your Jabber to [email protected] with what you want and what file download locations and instructions.
When you make the payment, remember to send us an e-mail to [email protected]
with the amount sent and the wallet address in which you want to receive link to download dump.sql

After you Make Payment You Get My Help 100%
Save Details Transaction And Sent Me For This Specific Mail [email protected]

N1 Pay [Save Your Details Transaction] Example Test i want to buy full source code. Price is 0.15 BTC.
N2 Contact Me [email protected]

SQL INJECTION DUMP MEGAPACK
https://bitcointalksearch.org/topic/anyone-else-get-an-email-trying-to-sell-you-bitcointalkorg-and-btc-ecom-dumps-848462


December 03, 2014, Theymos receives first DPR subpoena regarding Ulbricht (Silk Road) and the heroin store topic.

This is not very surprising/interesting, but I thought I'd mention that I received a subpoena for information related to Ross Ulbricht's alleged forum account altoid. I mostly just compiled some publicly-available information. The only non-public data I had to include were some deleted posts in the heroin store topic that were not written by DPR and probably won't be useful in the case.

You might be surprised to learn that this is the first subpoena I've received for the forum.

In Silk Road's early days, Ulbricht had posted in a Bitcoin forum promoting the site under his real email, [email protected].

May 25, 2015, Bitcointalk server compromised.

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

While nothing can ever be ruled out in these sorts of situations, I do not believe that the attacker was able to collect any personal messages or other sensitive data beyond what I listed above.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

I will now go into detail about how well you can expect your password to fare against a determined attacker. However, regardless of how strong your password is, the only prudent course of action is for you to immediately change your password here and everywhere else you used it or a similar password.

The following table shows how long it will take on average for a rather powerful attacker to recover RANDOM passwords using current technology, depending on the password's alphabet and length. If your password is not completely random (ie. generated with the help of dice or a computer random number generator), then you should assume that your password is already broken.

It is not especially helpful to turn words into leetspeak or put stuff between words. If you have a password like "w0rd71Voc4b", then you should count that as just 2 words to be safe. In reality, your extra stuff will slow an attacker down, but the effect is probably much less than you'd think. Again, the times listed in the table only apply if the words were chosen at random from a word list. If the words are significant in any way, and especially if they form a grammatical sentence or are a quote from a book/webpage/article/etc., then you should consider your password to be broken.

Code:
Estimated time (conservative) for an attacker to break randomly-constructed
bitcointalk.org passwords with current technology

s=second; m=minute; h=hour; d=day; y=year; ky=1000 years; My=1 million years

Password length  a-z  a-zA-Z  a-zA-Z0-9  
              8    0      3s        12s              2m
              9    0      2m        13m              3h
             10   8s      2h        13h             13d
             11   3m      5d        34d              1y
             12   1h    261d         3y            260y
             13   1d     37y       366y            22ky
             14  43d   1938y       22ky             1My
             15   1y   100ky        1My           160My
-------------------------------------------------------
         1 word  0
        2 words  0
        3 words  0
        4 words  3m
        5 words  19d
        6 words  405y
        7 words  3My

Each password has its own 12-byte random salt, so it isn't possible to attack more than one password with the same work. If it takes someone 5 days to recover your password, that time will all have to be spent on your password. Therefore, it's likely that only weak passwords will be recovered en masse -- more complicated passwords will be recovered only in targeted attacks against certain people.

If your account is compromised due to this, email [email protected] from the email that was previously associated with your account.

For security reasons, I deleted all drafts. If you need a deleted draft, contact me soon and I can probably give it to you.

A few people might have broken avatars now. Just upload your avatar again to fix it.

Unproxyban fee processing isn't working right now. If you want to register and you can't, get someone to post in Meta for you and you'll be whitelisted.

Searching is temporarily disabled, though it won't be disabled for as long as last time because I improved the reindexing code.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

How the compromise happened:

The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything, and I don't yet want to publish everything that I do know, but it seems almost certain that it was a problem on the ISP's end.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker's real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I've already acquired, but if for example you're the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate -- just sending me someone's name is useless.

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
[email protected]


A few days later Ross Ulbricht is sentenced to life in prison.
May 29, 2015, Silk Road Founder Ross Ulbricht Sentenced to Life in Prison
https://bitcointalksearch.org/topic/silk-road-founder-ross-ulbricht-sentenced-to-life-in-prison-1074337


The forum was also reachable under forum.bitcoin.org for some time before it moved to bitcointalk.org IIRC.
The "name" of the forum is actually "Bitcoin Forum", not "Bitcointalk" (see upper left corner of this page).

Also, it might be noteworthy that for some time, DDOSing this forum coincided with dumps on then dominant Bitcoin exchange MtGox. I.e., you could DDOS this forum, which in turn made the price of Bitcoin drop. Market manipulation wild Wild West Cool

Thank you to taikuri13 for finding additional information.
Jump to: