Pages:
Author

Topic: HASHCO.WS WEBSITE HACKED ALL MONEY STOLEN (Read 2391 times)

newbie
Activity: 50
Merit: 0
December 25, 2013, 11:04:46 PM
#26
glad that last time i used it i did a payout. Looks like he made of with 40btc looking at the adres..
newbie
Activity: 8
Merit: 0
December 25, 2013, 09:49:09 PM
#25
I think all
newbie
Activity: 42
Merit: 0
December 25, 2013, 08:53:02 PM
#24
they take all or just few accounts?
hero member
Activity: 1008
Merit: 501
December 25, 2013, 08:38:26 PM
#23
I tried to log in to change my password, but it just sits and gives me the login page again, no errors or anything.  I don't see a password reset link either, so how the hell can I reset my password?   I had fortunately removed all funds from there except maybe 0.02 BTC, but I'd still like to grab that out if possible.

yeah I cant seem to login to even change my password or see my account balance or anything?Huh?? just keeps taking me to the statistics screen where all I can see is the pool statistics.....I didn't have maybe 1$ worth of bitcoins on there but still I want my shiiiiit
full member
Activity: 129
Merit: 100
December 25, 2013, 07:08:07 PM
#22
I tried to log in to change my password, but it just sits and gives me the login page again, no errors or anything.  I don't see a password reset link either, so how the hell can I reset my password?   I had fortunately removed all funds from there except maybe 0.02 BTC, but I'd still like to grab that out if possible.
hero member
Activity: 574
Merit: 500
December 25, 2013, 12:05:33 AM
#21
they stole around 40btc.

For those complaining about hashcows.  Nearmiss does a great job for the community by running this website. 

I work for a multibillion dollar payment card processor and I can tell you that no matter what you do a bad guy can always find a way into your system.

Do you think nearmiss has more funds available to provide better security than....
heartland?
Tjmaxx?
Target?

All of these companies are billion dollar companies and couldnt keep the bad guys out.

Here's the deal.  Transfer your coins off whenever you can and don't worry about the 50cent fees.

I lost .244BTC today because I was to lazy to login and move coins, I'm sad, and I'm pissed at the hacker who did it. 

I will continue to use hashcows knowing fully that they could be hacked again, every exchange can be hacked, you keep money there it's your risk.

These aren't FDIC backed exchanges and they aren't all multimillion dollar operations.

Nearmiss could hire 15 security experts and I guarentee someone will still find a way in if they want to.

enjoy your coining folks and lets hope nearmiss and others who lost money/time get to enjoy their Christmas!
STT
legendary
Activity: 4060
Merit: 1448
December 24, 2013, 11:49:34 PM
#20
So they managed to steal 26k so far?
sr. member
Activity: 420
Merit: 263
let's make a deal.
December 24, 2013, 11:35:21 PM
#19
you're welcome anon
full member
Activity: 126
Merit: 100
December 24, 2013, 11:30:06 PM
#18
thank you 4chan
newbie
Activity: 5
Merit: 0
December 24, 2013, 10:27:53 PM
#17
i talked with them on irc and it looks like it was an sql injection attack. its not 100% yet.

For those of you who dont know what that means, it means that no matter how strong your password or pin was they had actual access to the database to retrieve/update the data bypassing the website.
full member
Activity: 224
Merit: 100
Shitcoin Maximalist
December 24, 2013, 03:26:29 PM
#16
Cross posting from Reddit..

I was in the IRC channel #hashcows on freenode as this played out. Note that I don't speak for Hashcows, just a user/chatter reporting what I know.

Seems like what happened is that someone used an attack (possibly SQL injection) to change a bunch of user payout addresses to https://blockchain.info/address/13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH

As users subsequently hit their pre-set auto withdraw threshold, or logged in and blindly did a manual withdrawal for themselves, the coins were siphoned off to the thief's account.

This leads me to assume that no account details (usernames, passwords, PIN, entire database) were compromised.. it was a smart but simple attack, something of a smash and grab raid. They didn't need to deal with usernames, passwords and PINs (none of which would be stored in plain text anyway), this was much easier for them.

The first thing to do is check your balance. If it's not been affected you are ok now, as the payout system was disabled by admin as soon as this came to light, and will be until investigation is complete.

If you try to manually withdraw the website will report that the withdrawal has been initiated - but it hasn't.

For a period of time you may have been unable to change your payout address, as this was also locked by admin, however it's now been enabled again.
hero member
Activity: 519
Merit: 500
December 24, 2013, 03:26:01 PM
#15
My wallet address was not changed, does this mean I was not affected?
sr. member
Activity: 420
Merit: 263
let's make a deal.
December 24, 2013, 03:23:57 PM
#14
Dunno why you guys are complaining about a 20 character limit. A nearby B&M regional financial institution (I don't dare say which) will only allow a password between 4 and 8 characters in length. Wish I were joking.
that's the point.  there should be no character limit.  

and like oldminer said, 2-factor authentication helps.  

it felt like the hashcows admin were fighting just to keep the site up and running, and left a backdoor open so someone could steal $20,000.  

Hashcows should be making money:  money enough to hire help with securing their money, and user money.  there is already a problem with trust and scams when it comes to sites like this.  it took them so long to build up a brand, trust and goodwill, and all that effort was wasted. 

otoh, mtgox seems to be surviving, although they lost their primacy in the exhange game a long time ago. 

donator
Activity: 1218
Merit: 1015
December 24, 2013, 03:22:24 PM
#13
Dunno why you guys are complaining about a 20 character limit. A nearby B&M regional financial institution (I don't dare say which) will only allow a password between 4 and 8 characters in length. Wish I were joking.

This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.
I don't think they really hold funds (in the traditional sense) outside unpaid funds from mining since the last payout cycle.
member
Activity: 98
Merit: 10
December 24, 2013, 03:22:17 PM
#12
My money was not stolen, but I will change my password anyway even though it is already extremely long.

If this happened to a whole buch of people the hackers probably got a mysql dump and are brute forcing or using wordlist combos to crack as many passwords as they can.

so do they got passwords and logged into accounts, or somehow got access to db and changed addresses directly there ?
member
Activity: 112
Merit: 10
December 24, 2013, 03:21:46 PM
#11
This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.
I dont store large amounts of coin anywhere online, I already get nervous when my coins are at an exchange just to exchange them ASAP and make a withdrawl, but maybe I am a bit paranoid.
legendary
Activity: 1022
Merit: 1001
December 24, 2013, 03:18:17 PM
#10
This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.
sr. member
Activity: 420
Merit: 263
let's make a deal.
December 24, 2013, 03:07:56 PM
#9
well I just tried to put in a 30 character long password and it said max 20 , and my old pass was 20 lol

So well, not so well protected
lol

"error password too long"  

the individual words make up a sentence, but i don't understand what it could mean.  
member
Activity: 112
Merit: 10
December 24, 2013, 03:00:57 PM
#8
well I just tried to put in a 30 character long password and it said max 20 , and my old pass was 20 lol

So well, not so well protected
sr. member
Activity: 420
Merit: 263
let's make a deal.
December 24, 2013, 02:57:08 PM
#7
My money was not stolen, but I will change my password anyway even though it is already extremely long.
yeah i don't get it; i changed from 'password1' to 'password2' how did they get in?  Roll Eyes
Pages:
Jump to: