also, do like, websites exist nowadays that dont record ip addresses of login attempts? or times? esp at a place where multiple password resets mean a required manual admin override to access ( he had to email me a password to get back into my account) i mean, not tech genius here, but there are websites with multiple user accounts that dont record ip information for that particular session? isnt that basic information a site admin/webmaster should have access to?
why cant i find a single password reset email?
Topic: Got hacked (?), 7ish btc lost!? - page 2. (Read 4096 times)
got some of my trans log. requested the login times and ips of the time my account was compromised, they werent available.
Hello Ljackson,
Unfortunately we don't log login activity (it is sort of pointless in many situations, especially with cookie stealing). We instead choose to monitor changes in account information, including trading, password reset, withdraw request, etc... Also, much of the log is hard to understand. You have to remember that we are a new system, and that we've been working on important features rather than making easily readable logs.
Here is the log for your account: note:(the bold activity is legit)
Buying [email protected] 59 GHs at 0.013
Buy_Recur([email protected], 0.013, 59)
Buy filled none for [email protected], save.
Crediting [email protected] with 59.00000000 GHs
Selling [email protected] 10.00000000 GHs at 0.034
Subbing [email protected] for 10.00000000 GHs
Sell_Recur([email protected], 0.034, 10.00000000)
Sell filled none for [email protected], save.
Selling [email protected] 10.00000000 GHs at 0.0335
Subbing [email protected] for 10.00000000 GHs
Sell_Recur([email protected], 0.0335, 10.00000000)
Sell filled none for [email protected], save.
Selling [email protected] 10.00000000 GHs at 0.033
Subbing [email protected] for 10.00000000 GHs
Sell_Recur([email protected], 0.033, 10.00000000)
Sell filled none for [email protected], save.
Selling [email protected] 25 GHs at 0.0327
Subbing [email protected] for 25 GHs
Sell_Recur([email protected], 0.0327, 25)
Sell filled none for [email protected], save.
Buying [email protected] 10 GHs at 0.0145
Buy_Recur([email protected], 0.0145, 10)
Buy filled none for [email protected], save.
Buying [email protected] 142 GHs at 0.0140000
Buy_Recur([email protected], 0.0140000, 142)
Buy filled none for [email protected], save.
Canceling 1753 for [email protected]
Buy order canceled for [email protected], refunded 1.988.
Buying [email protected] 133 GHs at 0.015
Buy_Recur([email protected], 0.015, 133)
Buy filled none for [email protected], save.
Canceling 1770 for [email protected]
Buy order canceled for [email protected], refunded 1.995.
Buying [email protected] 99 GHs at 0.0200001
Buy_Recur([email protected], 0.0200001, 99)
Buy filled none for [email protected], save.
Crediting [email protected] with 15 GHs (filled)
Crediting [email protected] with 25 GHs (filled)
Canceling 1752 for [email protected]
Buy order canceled for [email protected], refunded 0.145.
Selling [email protected] 1.00000000 GHs at 0.0290000
Subbing [email protected] for 1.00000000 GHs
Sell_Recur([email protected], 0.0290000, 1.00000000)
Crediting [email protected] with 1.00000000 GHs
Sell filled complete for [email protected], finish.
Canceling 1725 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1724 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected]
, refunded 10.00000000
Canceling 1705 for [email protected]
Crediting [email protected] with 25.00000000 GHs
Sell order canceled for [email protected], refunded 25.00000000
Canceling 1617 for [email protected]
Crediting [email protected] with 20.00000000 GHs
Sell order canceled for [email protected], refunded 20.00000000
Canceling 1701 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1703 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1704 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1792 for [email protected]
Buy order canceled for [email protected]
, refunded 1.1800059.
Selling [email protected] 1.50000000 GHs at 0.0270001
Subbing [email protected] for 1.50000000 GHs
Sell_Recur([email protected], 0.0270001, 1.50000000)
Sell filled complete for [email protected], finish.
Selling [email protected] 177.07079376178 GHs at 0.0000003
Subbing [email protected] for 177.07079376178 GHs
Sell_Recur([email protected], 0.0000003, 177.07079376178)
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 174.07079376178)
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 154.07079376178)
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 124.07079376178)
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 117.07079376178)
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 67.49811794178)
Crediting [email protected] with 1.00000000 GHs
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 66.49811794178)
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 63.49811794178)
Sell filled incomplete for [email protected], recur.
Sell_Recur([email protected], 0.0000003, 62.49811794178)
Sell filled complete for [email protected], finish.
Buying [email protected] 52.08 GHs at 0.0500000
Buying [email protected] 32.1974668 GHs at 0.0500000
Buy_Recur([email protected], 0.0500000, 32.1974668)
Crediting [email protected] with 1.02070624 GHs
Buy filled incomplete for [email protected], recur.
Buy_Recur([email protected], 0.0500000, 31.17676056)
Crediting [email protected] with 1.00000000 GHs
Buy filled incomplete for [email protected], recur.
Buy_Recur([email protected], 0.0500000, 30.17676056)
Crediting [email protected] with 19.00000000 GHs
Buy filled incomplete for [email protected], recur.
Buy_Recur([email protected], 0.0500000, 11.17676056)
Crediting [email protected] with 11.17676056 GHs
Buy filled complete for [email protected], finish.
Selling [email protected] 999.99999999 GHs at 0.0000003
Subbing [email protected] for 999.99999999 GHs
[email protected] did not have 999.99999999 GHs to sub
Selling [email protected] 32.1974668 GHs at 0.0000003
Subbing [email protected] for 32.1974668 GHs
Sell_Recur([email protected], 0.0000003, 32.1974668)
Sell filled complete for [email protected], finish.
this indicates to me the person that compromised my account also has an account on the exchange, and had a buy/sell order filled. knowing how an orderbook works (demonstrated by the havelock/cex incursions), the thief did not attempt to liquidate the assets and withdraw the money, instead engaging in a pattern of buying/selling/buying selling that satisfied multiple orders over a period of time. this might also suggest multiple agents at work in cohesion (multiple account holders on the exchange)
Have you guys noticed there is now a chain between BTC-E transactions and account issues and MtGox transactions and account issues?
btce was the first account compromised for me chronologically, but out of the accounts compromised, it was the one i utilized the absolute least.
the only service ive signed up for in recent memory that shares this password is bit-mining.co . all the other accounts are very old/ not used (with the exception of cex, heavily used)
the only service ive signed up for in recent memory that shares this password is bit-mining.co . all the other accounts are very old/ not used (with the exception of cex, heavily used)
I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though.
My 2fa was not compromised yet they removed all my funds.
This was directly after I contacted btc-e support.
I believe to this day btc-e is not a trustworthy company.
My 2fa was not compromised yet they removed all my funds.
This was directly after I contacted btc-e support.
I believe to this day btc-e is not a trustworthy company.
no other service i use has been compromised, including non btc accounts. only services with that common password
90BTC stolen in the other thread, now another theft?
This is getting scary...
Damn right it is, Im getting my wallet and storing it into a USB drive. These hackers will bring down bitcoin and then there wont be bitcoin, They are stupid fucks who have no brains. This is getting scary...
and yes, i should have used different passes, used to utilize 2fa on both havelock and btce, so was never an issue for me until i disabled it sometime later (stopped trading on those exchanges for a while).
this thief is a study in contrast. tech savvy enough to compromise 2fa gmail, intercept a password reset email, and delete it permanently.
while ignoring 4 other emails that show clear, unauthorized access to my accounts.
it seems obvious that the fact my cex.io balance wasnt withdrawn means my email wasnt compromised. withdrawing from cex.io requires email confirmation. my username/password was compromised out in the wild.
this thief is a study in contrast. tech savvy enough to compromise 2fa gmail, intercept a password reset email, and delete it permanently.
while ignoring 4 other emails that show clear, unauthorized access to my accounts.
it seems obvious that the fact my cex.io balance wasnt withdrawn means my email wasnt compromised. withdrawing from cex.io requires email confirmation. my username/password was compromised out in the wild.
90BTC stolen in the other thread, now another theft?
This is getting scary...
This is getting scary...
question to those you suspect my email was compromised...
why would the thief delete a password reset email ( supposedly to cover his tracks) and leave 3 trade notifications from havelock and a login successful email from btce?
so, this guy accesses my havelock account, sells my stuff and withdraws 1.07 btc (doesnt reset password) (account 6 months old)
goes to btce, nothing there, moves on (doesnt reset password) (account old as time, unused for months)
goes to cex.io, sells namecoins, doesnt withdraw anything though (no password reset) (account 6 months old)
and then goes to bit-mining.co, spends account balance buying assets, then sells assets off at absolute lowest price (password reset) (2 week old account)
from admin of bit mining:
As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went.
also from bitmining:
I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails.
so, was my password reset then gmail used to access my account? or was my account accessed, then my password reset? because the reset occurred supposedly before the theft. which is odd, why reset a password you already had? to break into email to resteal it? also, if you have stolen credentials, why reset them?
so.. no deletion of any other emails that showed the account intrusion.
thief also didnt withdraw from the service that would need email verification to do so (cex.io)
seems to indicate my email wasnt compromised.
i cant store ghs/stocks in an offline wallet. hence being on the exchanges i use.
why would the thief delete a password reset email ( supposedly to cover his tracks) and leave 3 trade notifications from havelock and a login successful email from btce?
so, this guy accesses my havelock account, sells my stuff and withdraws 1.07 btc (doesnt reset password) (account 6 months old)
goes to btce, nothing there, moves on (doesnt reset password) (account old as time, unused for months)
goes to cex.io, sells namecoins, doesnt withdraw anything though (no password reset) (account 6 months old)
and then goes to bit-mining.co, spends account balance buying assets, then sells assets off at absolute lowest price (password reset) (2 week old account)
from admin of bit mining:
As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went.
also from bitmining:
I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails.
so, was my password reset then gmail used to access my account? or was my account accessed, then my password reset? because the reset occurred supposedly before the theft. which is odd, why reset a password you already had? to break into email to resteal it? also, if you have stolen credentials, why reset them?
so.. no deletion of any other emails that showed the account intrusion.
thief also didnt withdraw from the service that would need email verification to do so (cex.io)
seems to indicate my email wasnt compromised.
i cant store ghs/stocks in an offline wallet. hence being on the exchanges i use.
The biggest mistake was having the same passwords. You also say one of them could be determined by public info. Did you log into Gox or any other sites that were not haked lately? From the password guessing and the fact that the other passes were not found I would exclude keylogger. Either someone hacked your pc eg. through remote desktop feature, or tapped into your wireless if you have one. There is also a small chance they just obtained some info about you and decided to guess your password based on that.
Interesting how they could bring your balance to 0. A typical exchange doesn't allow you to place an ask order below the minimum bid - if you do that it will go for the minimal price anyway.
Interesting how they could bring your balance to 0. A typical exchange doesn't allow you to place an ask order below the minimum bid - if you do that it will go for the minimal price anyway.
Not to make you paranoid. Just maybe something to think about.
Reading from what you've said with password resets, if could be fairly easy to do so via your email. Then like stated already someone could delete those files permanently from trash so it wouldnt show up there.
I still think its somewhere in email comprimise.
Either someone hacked into your pc and remotedly guided it to your mail etc. (maybe with remember me's, passwords embedded into your browser?)
(Or small chance and im hoping for your sake it really wasnt that, someone could have personally been sitting behind your pc while you were away...)
ANyway.. sorry for your loss
Reading from what you've said with password resets, if could be fairly easy to do so via your email. Then like stated already someone could delete those files permanently from trash so it wouldnt show up there.
I still think its somewhere in email comprimise.
Either someone hacked into your pc and remotedly guided it to your mail etc. (maybe with remember me's, passwords embedded into your browser?)
(Or small chance and im hoping for your sake it really wasnt that, someone could have personally been sitting behind your pc while you were away...)
ANyway.. sorry for your loss
Never keep significant amount of bitcoins online - that's what offline wallets were designed for.
Quote
so, what the fuck happened?
Well, shit append.
BTW, you must always transfer bitcoin to a local Bitcoin-QT sofware to secure your money.
Hacked plateforme is like "rain in california" ...
They can access your email through your PC when it is at idle OR use your computer as proxy to avoid gmail verification and shit.
There is no getting them back if the hacker used a proxy to hide their tracks.
and i havent accessed btce ever from a mobile device, and not within the last 6 months on a terminal. i never verified with them.odd the first service to be compromised is the one i use the least.
Email for reset could have been trashed then permanently deleted.
true, but wouldnt the remote login show up in the google details tab? it indicates im the only one who has accessed my gmail. if they had, wouldnt a unique, distant ip show up on this list?Browser (Chrome) Show details * United States (SC) (24.31.11.165) 5:25 am (0 minutes ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) 4:20 am (1 hour ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) 3:37 am (1.5 hours ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) 2:49 am (2.5 hours ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) 2:06 am (3 hours ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (23 hours ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (1 day ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (1 day ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 24 (2 days ago)
Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 24 (2 days ago)
my gmail was never compromised. and the password reset of the bit-mining account occurred after they had gained access to the account.
i was told the ip address appears to be that of a mobile phone. i cant even open bitmining on my android device since the site changes.
trade log: (provided by admin)
Canceling 1617 for [email protected]
Crediting [email protected] with 20.00000000 GHs
Sell order canceled for [email protected], refunded 20.00000000
Canceling 1701 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1703 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1704 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1792 for [email protected]
Buy order canceled for [email protected], refunded 1.1800059.
Withdrawing 0 BTC for [email protected]
Can't withdraw 0 BTC for [email protected]
Withdrawing 0 BTC for [email protected]
Can't withdraw 0 BTC for [email protected]
Selling [email protected] 1.50000000 GHs at 0.0270001
Buying [email protected] 52.08 GHs at 0.0500000
[email protected] did not have 2.06 BTC to sell
Buying [email protected] 32.1974668 GHs at 0.0500000
Selling [email protected] 999.99999999 GHs at 0.0000003
[email protected] did not have 999.99999999 GHs to sell
Selling [email protected] 32.1974668 GHs at 0.0000003
what motive would someone have to do this? and how did they get my password? im the only person with physical access to this comp. pass was not bruted. 2fa on gmail, no suspicious logins according to google.
support at bitmining suggested this:
Hello Ljackson,
I am not aware how your email was accessed, and neither are you, so this is why I specifically recommend CHANGING it as soon and as fast as possible. Here are some ways in which hackers commonly bypass google auth:
(1) Cookie stealing: Once a device is logged in, no google auth is used, even if the device's location changes. If the google login cookie was stolen from your computer, it would look to google like your computer changed location, and thus not prompt for google auth.
(2) Device Passwords: Devices accessing your google account (such as phones, etc...) do not prompt for a google auth, but instead use a special device-unique login code. If that login code was stolen, then google wouldn't prompt for google auth.
(3) Trojans: If your account was logged onto gmail, and your computer had a trojan, the trojan can cause your own computer to execute commands on gmail in the background, without your being aware of it.
I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails.
also
It looks to me increasingly unlikely that the original hacked account was Bit-Mining.
First: How would the username "mcnastyfilth" be obtained from your Bit-Mining account, so they would know to log into Cex with that username?
Second: The server time for the first trade on Bit-Mining was 2014-01-25 22:24:49. The server time for the BTC-E login was 26.01.14 06:25. Now, even taking into account the difference in server times (BTC-E and bit-mining don't operate in the same time zone), by subtracting off the current server time at each, the BTC-E login occurred prior to the compromising of your Bit-Mining account. The same goes for the cex.io login, as far as I can see.
Third: The user attempted to withdraw BTC from your bit-mining account by entering in the address 1BzbergrjuUShb927P3vUbtQZW1firSsjC at the amount prompt. This indicates that he wasn't familiar with the Bit-Mining system, and didn't know that you couldn't withdraw the BTC to a different BTC address.
If I were you, I would attempt to contact the BTC-E administrators (they seem to be the account that was accessed first). I will continue the investigation at Bit-Mining, however, just in case.
i was told the ip address appears to be that of a mobile phone. i cant even open bitmining on my android device since the site changes.
trade log: (provided by admin)
Canceling 1617 for [email protected]
Crediting [email protected] with 20.00000000 GHs
Sell order canceled for [email protected], refunded 20.00000000
Canceling 1701 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1703 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1704 for [email protected]
Crediting [email protected] with 10.00000000 GHs
Sell order canceled for [email protected], refunded 10.00000000
Canceling 1792 for [email protected]
Buy order canceled for [email protected], refunded 1.1800059.
Withdrawing 0 BTC for [email protected]
Can't withdraw 0 BTC for [email protected]
Withdrawing 0 BTC for [email protected]
Can't withdraw 0 BTC for [email protected]
Selling [email protected] 1.50000000 GHs at 0.0270001
Buying [email protected] 52.08 GHs at 0.0500000
[email protected] did not have 2.06 BTC to sell
Buying [email protected] 32.1974668 GHs at 0.0500000
Selling [email protected] 999.99999999 GHs at 0.0000003
[email protected] did not have 999.99999999 GHs to sell
Selling [email protected] 32.1974668 GHs at 0.0000003
what motive would someone have to do this? and how did they get my password? im the only person with physical access to this comp. pass was not bruted. 2fa on gmail, no suspicious logins according to google.
support at bitmining suggested this:
Hello Ljackson,
I am not aware how your email was accessed, and neither are you, so this is why I specifically recommend CHANGING it as soon and as fast as possible. Here are some ways in which hackers commonly bypass google auth:
(1) Cookie stealing: Once a device is logged in, no google auth is used, even if the device's location changes. If the google login cookie was stolen from your computer, it would look to google like your computer changed location, and thus not prompt for google auth.
(2) Device Passwords: Devices accessing your google account (such as phones, etc...) do not prompt for a google auth, but instead use a special device-unique login code. If that login code was stolen, then google wouldn't prompt for google auth.
(3) Trojans: If your account was logged onto gmail, and your computer had a trojan, the trojan can cause your own computer to execute commands on gmail in the background, without your being aware of it.
I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails.
also
It looks to me increasingly unlikely that the original hacked account was Bit-Mining.
First: How would the username "mcnastyfilth" be obtained from your Bit-Mining account, so they would know to log into Cex with that username?
Second: The server time for the first trade on Bit-Mining was 2014-01-25 22:24:49. The server time for the BTC-E login was 26.01.14 06:25. Now, even taking into account the difference in server times (BTC-E and bit-mining don't operate in the same time zone), by subtracting off the current server time at each, the BTC-E login occurred prior to the compromising of your Bit-Mining account. The same goes for the cex.io login, as far as I can see.
Third: The user attempted to withdraw BTC from your bit-mining account by entering in the address 1BzbergrjuUShb927P3vUbtQZW1firSsjC at the amount prompt. This indicates that he wasn't familiar with the Bit-Mining system, and didn't know that you couldn't withdraw the BTC to a different BTC address.
If I were you, I would attempt to contact the BTC-E administrators (they seem to be the account that was accessed first). I will continue the investigation at Bit-Mining, however, just in case.
Email for reset could have been trashed then permanently deleted.
Jump to: