Topic: [FUD] What is with the hacked accounts epidemic ? (Read 881 times)

I'm not sure if you're just trolling now but there's plenty of info from several sources about what was leaked and even from theymos himself:

https://bitcointalksearch.org/topic/hacked-bitcointalk-data-finally-surfaces-on-dark-net-1609231
https://www.reddit.com/r/Bitcoin/comments/51qxa0/400k_usernamepasswordemail_bitcointalkorg_being/
https://motherboard.vice.com/en_us/article/nz74az/bitcointalk-forum-hack-cracked-passwords-for-sale
https://mobile.twitter.com/bitcointalk/status/602017247788343296

In this case it is important to keep both in mind.

And I agree with you. However, your implementation is flawed in my opinion.

Firstly, the idiots are not those who misunderstand what the forum shows. People believe that negative trust makes people a scammer, when this is not the case. However, assuming as such does not make them an idiot, simply misinformed. The idiots are those who do not take proper care to secure their accounts and therefore pay the price.

Secondly, I don't agree that it would be better. By potentially conditioning people to be scared of every link they press we are not helping the matter. Rather than checking the link themselves, they will automatically assume that every link is evil and they do not click on it.
So, with this, what happens when the same user realizes not every link is evil? Have they learned to check the link before clicking it, or have they been shown that every link is of the same standard (evil)? If the latter, why would this change when they believe that every link isn't evil?
By making every outgoing link look evil we aren't solving anything, rather putting off the issue until people have more to lose. By having a page that says 'This link is not an official Bitcointalk link. Be sure that you trust it before entering any personal information.', we are not conditioning people to be scared, rather to second check where they are putting their information into. However, this implementation brings it's own issues which I mentioned earlier.

While this may be a concern during implementation, I personally couldn't care less about theymos' (or the site's) advertising revenue. I also fail to see how your second point is a negative.

And what will we be educating to them? That every link not on Bitcointalk is evil? I don't think that's a particularly good message.

Regarding the insulting, I am a firm believer that realizing your mistake is the best way to not do it again. While it may be kicking them when they're down and not the nicest thing to do, if you allow your account to be hacked you are an idiot and you should be told that. While I understand it is not your point, telling them that 'it could happen to anyone' or something similar doesn't help them realize their mistake. No one likes to be called an idiot, and it is likely that people would do what they can to avoid it. If they are an idiot for allowing their account to be compromised, then they will likely do what they can to not do that again.

It should also be kept in mind that these are all just my personal feelings though, so I may be incorrect. I'm not a psychologist.

---

It's getting late; I'll reply in the morning.

I still stand by what i said and i am repeating myself.

Can anyone post some info on passwords leaked ?
I am not denying it i just did not recall it happening.
People ASSUME a lot..
If a hack happens over time people will blur that into some grandiose thing losing the details.

And yeah i am familiar.. i am a well known cracker, i made my name for myself long before i came here guys.
Did you keygen your own firewall and still use it today after 10 years ?
It uses the same hashing algo that Bitcoin uses LOL (i also patched it bypassing the SHA based custom caesar cipher protection too)

..yeah i can code too.
--yeah i can write PHP and have setup my own forums.

I am familiar with hackers..
If you all want i can have some world famous ones come here and lecture YOU with an attitude easily.
As a matter of fact i already have logged into my other account on the hacker site and posted a message over there saying "Spoetnik says Hi" then i screen capped it and posted it here.
I use to be a mod on the large / old site and my custom title i was given was "leet cracker"
I never asked for it either.. i got my reputation by kicking ass.
One of my old groups was on CNN and every news outlet on earth for "hacking"
My good buddy was arrested by the FBI.
So spare me the condescending bullshit kids.

..missing is the point.
I am not talking about people jazzing up their posts with fancy fonts and colors.
I am saying it is odd that no one mentions what their password was.. or if it was hard/easy etc.
When you guys just finished saying it *DOES* matter.
So.. duh smart ass's
if it DOES IN FACT matter then why is it never mentioned ?

AND.. no one even bothers to ask these "victims" about it either..

YOU ALL ASSUME THEY ARE BEING TRUTHFUL ON EVERY POST !

You are all not getting what i am saying here.
And i have been here through i think 3 hacks and no i never changed my password either.
And here i am..
And yeah i have had to login again which is a red flag i had an attempt.
That has happened to me all over the web and i get emails fishing. (crypto related)

Let me remind you there is one other reason for a guy to claim he was scammed ..even if he was a noob.
And that is ?
Reputation.

How may have barely been here and WHAM their account was hacked and then surprise surprise their account was used to support some fraud scheme etc ?

People there is a loophole here used in a couple ways with crying my account was hacked.
And i think it is a thing were once a few started doing it more joined in.
Of course there is legit reasons and incidents but what i am talking about here guys is i think there is a new phenomenon playing out.

These guys here are predators and latch onto exploits and they catch on like wild fire.
Anyway for them to restore trust or make a dollar and they will dog-pile onto it.

So i am saying quit being so trusting / gullible and put these guys through the wringer.

I use Password Depot on Windows with it's password creator.. it's an awesome pass maker !
It says how many millions of years it is estimated to crack the password too.



Ever heard of an old scientist who said the simplest explanation is usually the correct one ?
Well, something stinks here .... as always.

EDIT:
I am not responsible for this post now though guys.
You see my account was hacked.. can i have my red trust removed ?
Oh and yeah........................ i sold my account ROFL AHHAHAHHAHAH

Seriously how fucking god damn gullible are you all ?

And i think some of you replying here are GUILTY of it too.. so of course you are going to defend the cop-out.

So..
yeah it DOES matter when i say i never seen 1 guy here ever say what his password was / is.
You just finished lipping me off saying it matters.. EXACTLY !
Get it yet ?
Get why i would want that info in a complaint ?
Get why i would find it odd no guy ever said hey i had a super mega hard password ?

Sometimes what is missing is the most telling..

Seems we disagree about what is more important, functionality or appearance.  Honestly, I agree that people should be aware of things like the URL they're clicking.  Having the forum check automatically would be a nice feature in my opinion.  If "idiots" don't understand the red link and are scared off by it, I'd say that's better than them being hacked.  However, from an advertising driven business perspective I can understand the reason we don't have a "semi-scare mongering" protection in place.  It also sends you down the slippery slope of protecting users from scams, which has already been labeled an impossible task.  That is why I think the only answer here is to educate users, but so often they are insulted and belittled instead.  

Well I guess technically the claim was made by an admin, and the claim was more that they were leaked, not stolen, but I guess they would have to be first stolen to be leaked.



It is possible that hackers are getting more advanced as to which accounts have had their passwords changed. For example, they could crawl through the security log and related archives and use automation to check which accounts have had their passwords changed since the hack, and only put effort into trying to crack accounts who do not show up on that list. Or they could check for probable alts, and see if all the passwords were similar and if so, they might try to hack related email addresses. Or they could search for likely fake email addresses (either on the domain side, or the account side) using some criteria to check for likely randomness, create an email address and hack accordingly.

I disagree. If idiots don't check the URL then they won't check if the link colour is red. It would also be semi-scare mongering; not every link not on the domain bitcointalk.org is dangerous. Colouring them in red makes it seem as such.

The best way to go about it would be something similar to what hilariousandco suggested:
but doing this would take away resources from a forum that has already had to have it's functionality cut back to run properly.

---

cough.

Why? If people bruteforce Minecraft accounts, why wouldn't they with accounts that could make them hundreds-millions of dollars?

This guy was pretty adamant that it wasn't his fault, if he would fit into either of those.

Because they make new accounts, since their old ones have been hacked.

Because there is a template to follow (sorta). There aren't many ways you can jazz up 'My account has been hacked can I have my password reset'.

They were hashed using 7500 rounds of sha256crypt, but if the password is weak then this will be broken eventually.

I don't know about most, but some most certainly.

It makes a few million years of a difference what the password is. Do you have any idea what you're talking about?

Good. I should hope not.

Because they don't use the site. They get a 'random' string of characters and hash it with 7500 rounds until the hashes match.* If they do, then that string is most likely the password. You don't need to even be connected to the internet to do that.

*It's not quite that simple, but it's essentially how it works.

theymos told people to change their passwords to something strong. There is nothing more that he can do without an upgrade to the forum software.

QS is right. The hashed passwords were leaked and they're still available for anyone who wants them. Spend time cracking them and you'll get into many of them with weak passwords.

Plausible.. i seen guys hacked at Cryptsy by visiting a malicious site years ago.
It stole their cookie session login etc.

QuickSeller that is bullshit and i don't buy it.
No claim was ever made by staff here that hashed passwords were stolen.
And even if they were i highly doubt anyone is reversing them.

I think the vast majority are bullshitting.

I said not one guy i seen mentioned what his password was.
yeah that is a red flag.
Not one guy showed up to say hey mine was like fort knox.
As matter of fact i never seen one guy bring up the issue at all.
They seem to all be noob accounts then they post almost using a formula or template.

Unless the passwords are stored on theymos's servers in plain text i call bullshit on most of you.
Most are probably involved in chargeback type shenanigans.

This reeks and if you all don't believe me then look at how many are showing up and read them..
Notice any similarities ?

And yeah my password is tough i just said so..
Why should that matter if all these people are being hacked ?
If they are being hacked then it wouldn't matter what the password is then right ?
THAT was my point.

i have 0 worries.
No one is going to be hacking my account.
I encourage users to try though LOL

Oh and lets not forget the context here..
This place is about nothing more than NOOBS showing up and launching scams or joining SIG campaigns or account farming or trading shitcoins for profits.
We are not dealing with reputable people  
They are all shady sleazy losers trying anything they can to scam and collect BTC dust.

yeah.. some.
I get it.
I am saying i bet MOST are full of shit.
Not all but a huge amount of them doing this.

@The Pharmacist
Any day year decade now !
And i just get a feeling they are full of shit reading their posts.
I bet many buy an account and then have the original owner try and take it back after selling it.
See Muddafudda for an example.

Or theymos is not telling us about some magical new super hack that happened LOL 

Oh and and.. why doesn't the site block users if they are brute forcing passwords ?
Does that happen here ? If not why ?
No site in this day & age should let users sit there and try and bruteforce the password.
2fa would be nice too.. better get donating guys

Well we should be getting a new forum any year now, and I'm sure all those donations are being well spent on security features.   [ /s].

I don't buy 90% of shit newbies say anyway,  so spoetnik is probably correct that they're pulling off some kind of scam or they're buying accounts.  What else is new.

Reset the passwords to what? Many accounts do not have valid email addresses associated with them, and those that do may have the same passwords associated with their accounts.

Not sure how difficult it is for theymos to implement, but can't he just reset the passwords from users that didn't log in their accounts since last year for example?

It would directly lead to far lower numbers of accounts getting 'hacked' that way. I am actually surprised that something like that hasn't been done yet.

It's basically on a daily basis that I see accounts pop up with a massive gap in their post history joining, or trying to join signature campaigns. If nothing gets done, it will only get worse.

Doesn't seem my account was hacked. I didn't log in for awhile. I dunno.

Though I am still a lowbie account hehe. Wish I had logged in and posted for awhile, I am missing on on sig campaigns.

This is a great idea for lazy people in the forums. A prompt could appear like when you try to watch or unwatch a topic here. Something like: "Warning: you are leaving bitcointalk etc etc." would be nice.

---

Anyways, my account is still hacked. Waiting for theymos or Cyrus to reply on my messages in regards to that. I just hope the hacker wouldn't go out asking for loans or anything that might ruin the reputation of the said account.

Some of them are being hacked in this way but others are exactly how Quickseller described above. You can tell because they're all old accounts that haven't posted since 2015 or earlier.


I've suggested theymos implement a redirect notice/landing page that tells you when you're going off site and to check the url carefully etc. Will stop a lot of these attacks.

I don't think people are "hacking" these accounts.  I think they're being taken over using malicious MITM links, where users are clicking and then entering their username/password information on a fake site, essentially giving away their login.

I think the only way to combat this problem is to change the hover color of off-site links to red, warning users they're going off-site.  As opposed to the current green highlight when they stay on-site.  This would give unsuspecting users a fighting chance against the issue.

The passwords to everyone's account have been public in hashed format since 2015. It takes some amount of work to figure out what each accounts password is so it is possible that someone recently took the time to figure out what many passwords are to accounts whose passwords have not been changed since the hack.

Well this isn't advisable (if true) but if you have a ridiculously strong password then you'll likely be safe. It's the ones with weak/bog standard passwords that get bruteforced eventually and as time goes on the more people return to the forum and realise their password has been changed so they enquire about getting it back hence all the threads. Some people are just idiots and log onto phishing sites as well etc.

I don't think this ancient forum software has any 2FA capabilities 

Haven't changed mine since the last hack (2015) but it took two years for mine to get hacked, and the password I use is just an anagram of what my real name is (so yeah I fucked up on that part). Even my first alt account that I first used to send PMs to theymos and Cyrus is also hacked (?) since I can't open it today.

Should 2FA be enabled or nah? Or does SMF support 2FA services?

Lol.

I didn't said passwords are not important but rather a natural reaction to focus more on the hacked-account-issue rather than debate how strong it was and how hackers manage to hack it which is in this case has no relevance to recover the said account. Normal people just used simple passwords that is alphanumeric less than 15 characters but yours seems monstrous which you are implying.