Topic: BitFunder.com has been hacked and IT IS BitFunder's fault - page 3. (Read 30123 times)
These are serious flaws and need to be fixed on alllll sites
This is how BitFunder could have fixed it:
Yes, BitFunder's sitewas is still vulnerable.
Code:
if(!isset($_SESSION['csrf']) && $_SESSION['csrf'] = hash("SHA256", $salt9 . uniqid()));
echo "
Yes, BitFunder's site
The problem was something like this on a random site you visited:
Bye bye assets.
Code:
Bye bye assets.
Records of [email protected]:
Quote
2013-06-19 01:42:16 Send Transfer To: htemp
TAT.ASICMINER: 10 Share/s
2013-06-19 01:42:02 Send Transfer To: htemp
AMC: 5,617 Share/s
2013-06-19 01:41:50 Send Transfer To: htemp
G.ASICMINER-PT: 8 Share/s
TAT.ASICMINER: 10 Share/s
2013-06-19 01:42:02 Send Transfer To: htemp
AMC: 5,617 Share/s
2013-06-19 01:41:50 Send Transfer To: htemp
G.ASICMINER-PT: 8 Share/s
A long time Avalon miner and a very trustworth Bitcoiner has emailed me the story. It is written in Chinese and I am translate it. I just post this letter here for dicussion.
My username on BITFUNER is [email protected] , and the login password is different with my other account. ON 20th, June, I found that my 2,869 shares of G.SDICE and 9.99 BTC disappeared. I checked the records, I find that my Bitcoin was used to purchase G.SDICE first then all the G.SDICE shares was transferred to another account, “htemp”. I didn’t know that the shares on BITFUNDER could be transferred before. I write an email to BITFUNDER support and ask to freeze the htemp account, and my request was ignored. Then I kept emailing the manager of BITFUNDER, and I state that the share transfer function is very dangerous without the 2 factor authentication, and I ask them to pay back my loss. Surprisingly the very next day I found that BITFUNDER had forced the user to enable 2fa before transferring the shares, and a letter that their exchange has no fault and it is my own fault not to enable the 2 factor authentication.
Another BITFUNDER user, Miss Wang Qiaoqiao, became a victim of the “htemp” theft nearly the same time with me. Then I started to suspect that it is the BITFUNDER had been hacked so the htemp can steal two people at the same time.
That’s the summaries. Here is the records of emails between the BITFUNDER support and lixiulai @sina.com.
=============================
My Support Requests
--------------------------------------------------------------------------------
Creation Date Ticket ID Subject Status
2013-06-25 19:54:38 XSQ-194159 I want to know, who operate my account. Closed
2013-06-25 19:54:38 Posted By: Me
After my account stolen, only this reminder. Transfer of this function is too dangerous, if I'm not enable 2-factor, this function should not be used. I want to know, who operate my account.
2013-06-25 19:58:26 Posted By: Me
Error: Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.
Transfer Shares:
Error: Google 2-Factor MUST be enabled to transfer shares.
2013-06-25 20:02:50 Posted By: Me
Why my account stolen, your website just become so.
2013-06-26 17:57:50 Posted By: Support Staff
Transfer has been limited to 2-factor only support.
Our server was not hacked. Someone used your account that was stolen from somewhere else.
Not our fault.
We are sorry that it happened. We offered protection option to users. You did not use it.
Thank You,
BitFunder Support
2013-06-25 05:32:48 TYL-678016 I hope you can give me some compensation. Closed
2013-06-25 05:32:48 Posted By: Me
My account BTC being bought into the stock, being transferred away, I do not know your website has a stock transfer of this function, that my password theft case, also can present to www.weexchange.co, I hope you can give me some compensation.
2013-06-25 16:49:49 Posted By: Support Staff
Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.
You do not and have not had 2-factor enabled. We have no way to verify that you were were actually hacked or are the hacker.
We cannot offer any sort of compensation for users who do not properly protect their accounts and passwords.
We have secured our site to the best of our ability, which was not hacked. Your account information was leaked or stolen and we provided the ability of protection beyond that with 2-factor and you chose not to enable it.
Thank You,
My username on BITFUNER is [email protected] , and the login password is different with my other account. ON 20th, June, I found that my 2,869 shares of G.SDICE and 9.99 BTC disappeared. I checked the records, I find that my Bitcoin was used to purchase G.SDICE first then all the G.SDICE shares was transferred to another account, “htemp”. I didn’t know that the shares on BITFUNDER could be transferred before. I write an email to BITFUNDER support and ask to freeze the htemp account, and my request was ignored. Then I kept emailing the manager of BITFUNDER, and I state that the share transfer function is very dangerous without the 2 factor authentication, and I ask them to pay back my loss. Surprisingly the very next day I found that BITFUNDER had forced the user to enable 2fa before transferring the shares, and a letter that their exchange has no fault and it is my own fault not to enable the 2 factor authentication.
Another BITFUNDER user, Miss Wang Qiaoqiao, became a victim of the “htemp” theft nearly the same time with me. Then I started to suspect that it is the BITFUNDER had been hacked so the htemp can steal two people at the same time.
That’s the summaries. Here is the records of emails between the BITFUNDER support and lixiulai @sina.com.
=============================
My Support Requests
--------------------------------------------------------------------------------
Creation Date Ticket ID Subject Status
2013-06-25 19:54:38 XSQ-194159 I want to know, who operate my account. Closed
2013-06-25 19:54:38 Posted By: Me
After my account stolen, only this reminder. Transfer of this function is too dangerous, if I'm not enable 2-factor, this function should not be used. I want to know, who operate my account.
2013-06-25 19:58:26 Posted By: Me
Error: Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.
Transfer Shares:
Error: Google 2-Factor MUST be enabled to transfer shares.
2013-06-25 20:02:50 Posted By: Me
Why my account stolen, your website just become so.
2013-06-26 17:57:50 Posted By: Support Staff
Transfer has been limited to 2-factor only support.
Our server was not hacked. Someone used your account that was stolen from somewhere else.
Not our fault.
We are sorry that it happened. We offered protection option to users. You did not use it.
Thank You,
BitFunder Support
2013-06-25 05:32:48 TYL-678016 I hope you can give me some compensation. Closed
2013-06-25 05:32:48 Posted By: Me
My account BTC being bought into the stock, being transferred away, I do not know your website has a stock transfer of this function, that my password theft case, also can present to www.weexchange.co, I hope you can give me some compensation.
2013-06-25 16:49:49 Posted By: Support Staff
Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.
You do not and have not had 2-factor enabled. We have no way to verify that you were were actually hacked or are the hacker.
We cannot offer any sort of compensation for users who do not properly protect their accounts and passwords.
We have secured our site to the best of our ability, which was not hacked. Your account information was leaked or stolen and we provided the ability of protection beyond that with 2-factor and you chose not to enable it.
Thank You,
Jump to: