Maybe there is another exploit for hacking the emailprovider alive? They only need to get the link. Might it be that they have setup a forward email in the gmail account or can read there directly. But since you said you have google auth set for gmail... they must have somehow read the email while they were on the way to gmail? Or maybe check if there are forwardings set in your account.
But im not knowledgeable in the hacking area...
I use keepass since some time and everywhere i have bitcoins or shares i sat up google auth.
Topic: Got hacked, 7ish btc lost, help? (Read 615 times)
capital letter, three numbers and a special character. i only use these credentials for my trading accounts. 10 characters total
Did you use the same password at any other web sites ?
all these services had a common password. 3 hade the same username, one had a username that could be determined by public information from me (signature).
No other service ive utilized on this computer (mtgx, bitstamp, lbc) was compromised. they all have different passwords. i dont think i was keylogged. and ive utilized these services extensively, with tabs open, for months with no problems. secure wifi i think (corporate housing, wifi has pass, know most if not all of neighbors in entire building personally, none with technical expertise for this)
No other service ive utilized on this computer (mtgx, bitstamp, lbc) was compromised. they all have different passwords. i dont think i was keylogged. and ive utilized these services extensively, with tabs open, for months with no problems. secure wifi i think (corporate housing, wifi has pass, know most if not all of neighbors in entire building personally, none with technical expertise for this)
I am at a loss.
I walk back to the chat window of bit-mining.co to notice an amazing market crash /rebound. Excited, i check my buy orders (placed at a premium spot). Refresh the page. 0 btc and zero ghs. Refresh the page again. Im logged out of my account with a changed pass.
Odd.
After contacting the operator via pm and email, I'm informed that I've had an unusual number of password reset attempts, and id need a manual password reset, which was provided.
So I'm in my account, not liking what i see
zero balances.
it seems someone compromised the account, then proceeded to purchase ghs at an unusually high price. then, having purchased as much ghs as they could with my balance, proceeded to sell all the rest of the ghs back to the market, closing my 7 btc position at .00000956btc. they purchased ghs at .05 per ( when the market rate is .015 all day, it crashed earlier) and attempted to sell 999.99999999, i only had 250~ which filled orders down to .001)
you see, you can only withdraw to one single address, supplied at account creation. i thought this would be a foolproof security feature, i didnt expect my account to be griefed. whats odd is that, according to the operator, they attempted to put a btc address in the withdrawal field, as if they werent familiar with the service. so i guess once they figured out they couldnt withdraw the btc (yet they were competent enough to utilize the orderbooks on havelock/cex), they decided to be a dick.
dont know why they purchased, then sold. seems a thief would just sell and go. would have been thwarted by the security feature, but this speculative thief is interesting.
and thats not all.
the got into my havelock account, sold my 330 neobee shares, and withdrew that bitcoin to a green address.
they also logged into my btce, nothing there to take, they also got into my cex account. sld my namecoins and i guess figured it wasnt worth it.
so, these three services all share the same pass user name. i know, im dumb. whatever. we are past that at this point, dont lecture me. what i cant figure out is how they got into my cex.io account (same pass, dif username). although i just realized that my username is in my ref link. that solves that.
they accessed btce around 9:25 est from IP: 50.136.152.85
got into havelock
2014-01-25 21:07:32 withdraw withdraw to: 1BzbergrjuUShb927P3vUbtQZW1firSsjC ฿1.07008294 ฿0.0010
and got into my bit-mining.co account, no time stamps because there is no trans history save an internal one support sent showing the odd account activity i had.
cex:
2014-01-26 02:26:56 0.00221686 BTC 0.00221686 BTC SELL Sold 0.3172 NMC at 0.00698785 BTC
details:
i havent installed any software. this comp is old and only used for trading.
i have fully updated antivirus with automatic scanning
i havent opened any email attachments/emails period. nor opened any programs save chrome.
i rebooted the computer once yesterday ( i reboot about once a week)
my gmail has 2fa, i have possession of the device, (had disabled 2fa on btce and havelock, kicks own ass)
didnt update any software, and the only pages i have visited today are this forum, havelock, cex.io, lmb-holdings and bitcoinmiami. using chrome. google details said im the only ip that has accessed my account.
bit-mining.co said
Hello ljackson, we have identified the individual on the other side of the order at 0.027. We are trying to determine if it's related; if it isn't, we shouldn't be giving you their email.
As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went.
i never received any email for a password reset though. its not in trash. also, it doesnt seem that anyone but myself has logged into my gmail for some days. only a single ip (mine) in the activity log. again, ive done no unusual activities in the last few days, ive even done less browsing than average, had been parked at the bit-mining chatroom waiting for trading to be enabled, was locked for two days waiting for bitcoind to sync so i could withdraw.
so, what the fuck happened?
I walk back to the chat window of bit-mining.co to notice an amazing market crash /rebound. Excited, i check my buy orders (placed at a premium spot). Refresh the page. 0 btc and zero ghs. Refresh the page again. Im logged out of my account with a changed pass.
Odd.
After contacting the operator via pm and email, I'm informed that I've had an unusual number of password reset attempts, and id need a manual password reset, which was provided.
So I'm in my account, not liking what i see
zero balances.
it seems someone compromised the account, then proceeded to purchase ghs at an unusually high price. then, having purchased as much ghs as they could with my balance, proceeded to sell all the rest of the ghs back to the market, closing my 7 btc position at .00000956btc. they purchased ghs at .05 per ( when the market rate is .015 all day, it crashed earlier) and attempted to sell 999.99999999, i only had 250~ which filled orders down to .001)
you see, you can only withdraw to one single address, supplied at account creation. i thought this would be a foolproof security feature, i didnt expect my account to be griefed. whats odd is that, according to the operator, they attempted to put a btc address in the withdrawal field, as if they werent familiar with the service. so i guess once they figured out they couldnt withdraw the btc (yet they were competent enough to utilize the orderbooks on havelock/cex), they decided to be a dick.
dont know why they purchased, then sold. seems a thief would just sell and go. would have been thwarted by the security feature, but this speculative thief is interesting.
and thats not all.
the got into my havelock account, sold my 330 neobee shares, and withdrew that bitcoin to a green address.
they also logged into my btce, nothing there to take, they also got into my cex account. sld my namecoins and i guess figured it wasnt worth it.
so, these three services all share the same pass user name. i know, im dumb. whatever. we are past that at this point, dont lecture me. what i cant figure out is how they got into my cex.io account (same pass, dif username). although i just realized that my username is in my ref link. that solves that.
they accessed btce around 9:25 est from IP: 50.136.152.85
got into havelock
2014-01-25 21:07:32 withdraw withdraw to: 1BzbergrjuUShb927P3vUbtQZW1firSsjC ฿1.07008294 ฿0.0010
and got into my bit-mining.co account, no time stamps because there is no trans history save an internal one support sent showing the odd account activity i had.
cex:
2014-01-26 02:26:56 0.00221686 BTC 0.00221686 BTC SELL Sold 0.3172 NMC at 0.00698785 BTC
details:
i havent installed any software. this comp is old and only used for trading.
i have fully updated antivirus with automatic scanning
i havent opened any email attachments/emails period. nor opened any programs save chrome.
i rebooted the computer once yesterday ( i reboot about once a week)
my gmail has 2fa, i have possession of the device, (had disabled 2fa on btce and havelock, kicks own ass)
didnt update any software, and the only pages i have visited today are this forum, havelock, cex.io, lmb-holdings and bitcoinmiami. using chrome. google details said im the only ip that has accessed my account.
bit-mining.co said
Hello ljackson, we have identified the individual on the other side of the order at 0.027. We are trying to determine if it's related; if it isn't, we shouldn't be giving you their email.
As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went.
i never received any email for a password reset though. its not in trash. also, it doesnt seem that anyone but myself has logged into my gmail for some days. only a single ip (mine) in the activity log. again, ive done no unusual activities in the last few days, ive even done less browsing than average, had been parked at the bit-mining chatroom waiting for trading to be enabled, was locked for two days waiting for bitcoind to sync so i could withdraw.
so, what the fuck happened?
Jump to: