Topic: BitMarket.Eu has closed down - page 39. (Read 204067 times)

Official announcement about October 9th issues

In recent days few of our accounts were compromised. After investigation, I would like to announce that:

- first of all, if you are reading this, and you didn't receive any strange emails lately then
there's no need to worry and your funds are safe.
- less than 20 accounts were affected by this hack, which is a fraction of our user base. By affected I mean accounts with stolen funds.
- majority of accounts were unaffected by this
- attacker used TOR anonymity network, which unfortunately prevents us from tracking him down
- attacker gained access to these accounts via their respective passwords. How he obtains these remain mystery to us, but we must note a few key things:
  - we store our passwords securely (to be exact: SHA-256 uniquely salted hashes of passwords)
  - most of affected users told us that they reused their passwords elsewere. Most notably, on Mt. Gox. We don't have proof that Mt. Gox was source of this leak (it could still be data from the last year's leak), but that's not impossible
  - there were two instances of users that had changed passwords and their account was breached again in very short amount of time. In one case, nothing was missing, hacker just placed one offer. In other, 3 BTC was gone. It's likely, that these passwords were somehow intercepted by hacker (keylogger/trojan/something else).
  - I spent considerable amount of time studying server logs (access logs, auth logs and others) and haven't detected any anomalies. I'm almost certain that our systems were not breached. I just can't think of an attack vector that would leak plain-text passwords from our site when we're hashing them all.

The site is now back up, but I've done three important things:
- I've reset ALL passwords. It's possible that I've interrupted the attacker and it has more passwords, and we don't want him to have them anymore
- I've implemented a security mechanism for confirming transactions. As a seller, you can't now just send BTC through the site, you have to first click on the link you receive via email. This way, it's impossible for anyone that gained access to your account to clear your Bitcoin in any way
- I've changed the withdrawal address procedure. It now always requires email confirmation, even when settings it for the first time.

So all in all, security of BitMarket was increased from this. As of now, even if someone broke into your account, knowing your Bitmarket password, as long as your email is secure, your Bitcoin is secure too.

The question about lost funds remains. I'm sad to report that 182 BTC from all affected accounts were lost in the process (could be more, but few hundred BTCs were blocked from withdrawing by anti-theft limit that I set up few days before). As much as I'd want to reimburse all people affected, I won't, for two reasons:
- BitMarket basically breaks even on donations it receives. I can't reimburse affected users with funds of others
- While I feel bad for people who are affected I don't think I'm responsible for (in most cases) them reusing passwords for Bitmarket and other sites.

If your funds can be recovered, I'll contact you as soon as possible. If you have any comments about above statement, feel free to contact me.

I recently sold some bitcoins and wanted to confirm them today. Please let us know what to do.

Our password hashes are salted with site-global AND per-user salt.

Are the passwords salted using random salts? If not, rainbow tables are available for common passwords using common hashes, and the hashed passwords may well have been leaked from bitmarket.eu itself or a from a backup or any offline copy. And even if salted, weak passwords may be found using a brute-force dictionary attack against the hashed passwords list, even if it takes more time.

It looks like at least one user whose account has been hacked was using a unique but weak password. That would match this scenario.

Can asics(when they are out) or fpga be used to crack these passwords?

No. Only a very small subset of user accounts were compromised (about 15 accounts).

PM'ed answers to this.

In short: NO i have not used same passwords in mtgox and bitmarket ever.

I just want to make sure I have the right end of the stick...

Has everybody who deposited bitcoins into bitmarket.eu have no longer got access to them? Have they been stolen?

You still didn't explain:
- did you use the same PASSWORD?
- when you changed the password on BitMarket and Mt. Gox, was it same one, or two different passwords?

You answers to these questions are critical for me, so please be honest on this. You can PM me this info if you don't want to share it publicly.

I used different login into mtgox, changed password on all my logins 4 days ago after 1st loss, so its not my case.

Atleast for me its not related to mtgox, have different password there.

Lost today 3.459 BTC, 4days ago 3.15548913 BTC, i hope that bitmarket will refund all involved.


If someone is not informed: https://bitcointalksearch.org/topic/bitmarketeu-115432

I have more confirmations from other affected users that they used same login details on Mt. Gox. I still don't want to jump in to conclusions, but it's smells fishy...

They don't store their passwords in clear text, MtGox had a leak a year ago and only MD5 hashes leaked. You can crack MD5 if the password is not very secure. I'm not sure if they're still using it though.

Sounds like Mt.Gox would save passwords as clear text, not hashes. Hopefully not, do somebody know?

Perhaps the hacker has the account name from Mt.Gox, the password from other sites.

In last few days some of BitMarket accounts were compromised. Because it's not just one case, I decided to disable the site until I'm certain how it happened.

From what I can tell now, accounts were accessed normally, using their respective logins and passwords. We store only hashes of our passwords in database, so it's impossible to get them from there.
Attacker used the TOR network, so tracking him by IP is useless.

Early reports suggest that this may be somehow connected with Mt. Gox. That's why I want everyone affected to confirm if they have indeed had Mt. Gox accounts with same usernames and passwords as on Bitmarket.

I'll update this post with more information as soon as I learn something.

Update: This doesn't affect most of you. Only a very limited amount (about 15) of accounts were compromised.

Hm... i thought about using bitmarket.eu but when i only can buy for prices that sellers ask then i go elsewhere. Only with ask-prices the real value of a currency cant be determined. Plus buyers cant make a good price at your platform even when the bitcoinprice is going down over the day at other platforms.

I liked the idea of not having to pay fees but its useless when i only have the chance to buy at the highest possible prices.

We have had server problems (server was restarted due to problem and mysql daemon didn't start automatically), which were unnoticed, because they started when I was asleep. All is fixed though!

Sorry to everyone for the inconvenience.


It was probably due to bitcoin client catching up with the network after the downtime. Also keep in mind that Bitcoin transfers usually take up to an hour to process, it's not only a Bitmarket thing.

Whew, up and running again. Glad to see my wallet is still alive and my offers are on schedule...

I wanted to post a complaint that my withdrawal wasn't working, but it just arrived.
Apparently it took them 50 minutes to do a Bitcoin transaction.

Looks like their server was down for some time and they had trouble bringing up all the services again?

Fortunately, I have retrieved all my 80 BTCs from my BitMarket.eu account to my private bitcoin address two days ago. Otherwise, I would have difficulties to sleep now...