Author

Topic: Blockchain.info "Authorize log-in attempt" (Read 8332 times)

full member
Activity: 308
Merit: 102
April 27, 2013, 03:56:33 PM
#13
There has been horrible hacks recently on blockchain.info while 2FA and 2 passwords were on. Suspects are android app and java/xss vulnerability, with more weight on the later. Turn off your java in browser pronto.

I have requested security feature increase in piuk's thread. Let's see what happens.

Doesn't have to be one or the other, it could be more than just one vulnerability that's been getting exploited.  At this point, there doesn't seem to be a single common factor shared by all the victims.

Yes there is. Read piuk's last note. The common factor was java enabled browser.
hero member
Activity: 854
Merit: 1000
Bitcoin: The People's Bailout
There has been horrible hacks recently on blockchain.info while 2FA and 2 passwords were on. Suspects are android app and java/xss vulnerability, with more weight on the later. Turn off your java in browser pronto.

I have requested security feature increase in piuk's thread. Let's see what happens.

Doesn't have to be one or the other, it could be more than just one vulnerability that's been getting exploited.  At this point, there doesn't seem to be a single common factor shared by all the victims.
full member
Activity: 308
Merit: 102
There has been horrible hacks recently on blockchain.info while 2FA and 2 passwords were on. Suspects are android app and java/xss vulnerability, with more weight on the later. Turn off your java in browser pronto.

I have requested security feature increase in piuk's thread. Let's see what happens.
hero member
Activity: 700
Merit: 500
Have been getting a LOT of these recently.

Starting to think a database leak may have occurred and is doing the rounds somewhere.
full member
Activity: 308
Merit: 102
... aaaaaaaand with that note, blockchain address lookup is down.  Grin
hero member
Activity: 952
Merit: 1009
It is fine and usual if you use same username. It also tests your 2FA and gives you confidence  Grin - now may be I can go and type a few random forum user names and creep them out  Wink j/k

Heh... Yeah. I do not have 2-factor on that wallet, though (it's just a "spending" wallet)... My question about 2-factor with blockchain: What happens if you lose your Yubikey and simultaneously blockchain.info disappears? They say somewhere in their FAQ that if you lose your Yubikey, you have to email them to get a "2 factor auth reset" or something, which sounds to me like you're dependent on either having your Yubikey, or Blockchain.info being alive and well. Personally, what I like about Blockchain is the convenience combined with NOT having to depend on them in any way. Seems like the 2-factor adds dependance. Is that correct?

You really should enable 2FA. People have been reporting blockchain-accounts without 2FA being compromised for weeks. 3 weeks ago someone was trying to get into mine all day everyday for about a week.
legendary
Activity: 1722
Merit: 1004
It is fine and usual if you use same username. It also tests your 2FA and gives you confidence  Grin - now may be I can go and type a few random forum user names and creep them out  Wink j/k

Heh... Yeah. I do not have 2-factor on that wallet, though (it's just a "spending" wallet)... My question about 2-factor with blockchain: What happens if you lose your Yubikey and simultaneously blockchain.info disappears? They say somewhere in their FAQ that if you lose your Yubikey, you have to email them to get a "2 factor auth reset" or something, which sounds to me like you're dependent on either having your Yubikey, or Blockchain.info being alive and well. Personally, what I like about Blockchain is the convenience combined with NOT having to depend on them in any way. Seems like the 2-factor adds dependance. Is that correct?

The wallet can be recreated from the backups they send you without 2FA.  The 2FA is only on there website and not on the private keys they send you for backups.


Gotchya, thanks.
legendary
Activity: 1372
Merit: 1003
It is fine and usual if you use same username. It also tests your 2FA and gives you confidence  Grin - now may be I can go and type a few random forum user names and creep them out  Wink j/k

Heh... Yeah. I do not have 2-factor on that wallet, though (it's just a "spending" wallet)... My question about 2-factor with blockchain: What happens if you lose your Yubikey and simultaneously blockchain.info disappears? They say somewhere in their FAQ that if you lose your Yubikey, you have to email them to get a "2 factor auth reset" or something, which sounds to me like you're dependent on either having your Yubikey, or Blockchain.info being alive and well. Personally, what I like about Blockchain is the convenience combined with NOT having to depend on them in any way. Seems like the 2-factor adds dependance. Is that correct?

The wallet can be recreated from the backups they send you without 2FA.  The 2FA is only on there website and not on the private keys they send you for backups.
legendary
Activity: 1722
Merit: 1004
It is fine and usual if you use same username. It also tests your 2FA and gives you confidence  Grin - now may be I can go and type a few random forum user names and creep them out  Wink j/k

Heh... Yeah. I do not have 2-factor on that wallet, though (it's just a "spending" wallet)... My question about 2-factor with blockchain: What happens if you lose your Yubikey and simultaneously blockchain.info disappears? They say somewhere in their FAQ that if you lose your Yubikey, you have to email them to get a "2 factor auth reset" or something, which sounds to me like you're dependent on either having your Yubikey, or Blockchain.info being alive and well. Personally, what I like about Blockchain is the convenience combined with NOT having to depend on them in any way. Seems like the 2-factor adds dependance. Is that correct?
full member
Activity: 308
Merit: 102
It is fine and usual if you use same username. It also tests your 2FA and gives you confidence  Grin - now may be I can go and type a few random forum user names and creep them out  Wink j/k
newbie
Activity: 31
Merit: 0
I just got the same notifications
newbie
Activity: 17
Merit: 0
the identifier can also be your account name, so maybe you used a name like I do casperorchids, it happened to me, but they couldn't get past the password
legendary
Activity: 1722
Merit: 1004
I just received a number of emails saying that there was an attempt to log-in to my blockchain.info account (from IPs very far away from me). The email noted that someone may know my wallet identifier. No money has been moved, so I assume my PW is safe, but what are the possible ways someone other than myself can know my wallet identifier given that I've never posted it anywhere?
Jump to: