Topic: HASHCO.WS WEBSITE HACKED ALL MONEY STOLEN (Read 2368 times)
glad that last time i used it i did a payout. Looks like he made of with 40btc looking at the adres..
I think all
they take all or just few accounts?
I tried to log in to change my password, but it just sits and gives me the login page again, no errors or anything. I don't see a password reset link either, so how the hell can I reset my password? I had fortunately removed all funds from there except maybe 0.02 BTC, but I'd still like to grab that out if possible.
yeah I cant seem to login to even change my password or see my account balance or anything?
?? just keeps taking me to the statistics screen where all I can see is the pool statistics.....I didn't have maybe 1$ worth of bitcoins on there but still I want my shiiiiit
I tried to log in to change my password, but it just sits and gives me the login page again, no errors or anything. I don't see a password reset link either, so how the hell can I reset my password? I had fortunately removed all funds from there except maybe 0.02 BTC, but I'd still like to grab that out if possible.
they stole around 40btc.
For those complaining about hashcows. Nearmiss does a great job for the community by running this website.
I work for a multibillion dollar payment card processor and I can tell you that no matter what you do a bad guy can always find a way into your system.
Do you think nearmiss has more funds available to provide better security than....
heartland?
Tjmaxx?
Target?
All of these companies are billion dollar companies and couldnt keep the bad guys out.
Here's the deal. Transfer your coins off whenever you can and don't worry about the 50cent fees.
I lost .244BTC today because I was to lazy to login and move coins, I'm sad, and I'm pissed at the hacker who did it.
I will continue to use hashcows knowing fully that they could be hacked again, every exchange can be hacked, you keep money there it's your risk.
These aren't FDIC backed exchanges and they aren't all multimillion dollar operations.
Nearmiss could hire 15 security experts and I guarentee someone will still find a way in if they want to.
enjoy your coining folks and lets hope nearmiss and others who lost money/time get to enjoy their Christmas!
For those complaining about hashcows. Nearmiss does a great job for the community by running this website.
I work for a multibillion dollar payment card processor and I can tell you that no matter what you do a bad guy can always find a way into your system.
Do you think nearmiss has more funds available to provide better security than....
heartland?
Tjmaxx?
Target?
All of these companies are billion dollar companies and couldnt keep the bad guys out.
Here's the deal. Transfer your coins off whenever you can and don't worry about the 50cent fees.
I lost .244BTC today because I was to lazy to login and move coins, I'm sad, and I'm pissed at the hacker who did it.
I will continue to use hashcows knowing fully that they could be hacked again, every exchange can be hacked, you keep money there it's your risk.
These aren't FDIC backed exchanges and they aren't all multimillion dollar operations.
Nearmiss could hire 15 security experts and I guarentee someone will still find a way in if they want to.
enjoy your coining folks and lets hope nearmiss and others who lost money/time get to enjoy their Christmas!
So they managed to steal 26k so far?
you're welcome anon
thank you 4chan
i talked with them on irc and it looks like it was an sql injection attack. its not 100% yet.
For those of you who dont know what that means, it means that no matter how strong your password or pin was they had actual access to the database to retrieve/update the data bypassing the website.
For those of you who dont know what that means, it means that no matter how strong your password or pin was they had actual access to the database to retrieve/update the data bypassing the website.
Cross posting from Reddit..
I was in the IRC channel #hashcows on freenode as this played out. Note that I don't speak for Hashcows, just a user/chatter reporting what I know.
Seems like what happened is that someone used an attack (possibly SQL injection) to change a bunch of user payout addresses to https://blockchain.info/address/13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH
As users subsequently hit their pre-set auto withdraw threshold, or logged in and blindly did a manual withdrawal for themselves, the coins were siphoned off to the thief's account.
This leads me to assume that no account details (usernames, passwords, PIN, entire database) were compromised.. it was a smart but simple attack, something of a smash and grab raid. They didn't need to deal with usernames, passwords and PINs (none of which would be stored in plain text anyway), this was much easier for them.
The first thing to do is check your balance. If it's not been affected you are ok now, as the payout system was disabled by admin as soon as this came to light, and will be until investigation is complete.
If you try to manually withdraw the website will report that the withdrawal has been initiated - but it hasn't.
For a period of time you may have been unable to change your payout address, as this was also locked by admin, however it's now been enabled again.
I was in the IRC channel #hashcows on freenode as this played out. Note that I don't speak for Hashcows, just a user/chatter reporting what I know.
Seems like what happened is that someone used an attack (possibly SQL injection) to change a bunch of user payout addresses to https://blockchain.info/address/13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH
As users subsequently hit their pre-set auto withdraw threshold, or logged in and blindly did a manual withdrawal for themselves, the coins were siphoned off to the thief's account.
This leads me to assume that no account details (usernames, passwords, PIN, entire database) were compromised.. it was a smart but simple attack, something of a smash and grab raid. They didn't need to deal with usernames, passwords and PINs (none of which would be stored in plain text anyway), this was much easier for them.
The first thing to do is check your balance. If it's not been affected you are ok now, as the payout system was disabled by admin as soon as this came to light, and will be until investigation is complete.
If you try to manually withdraw the website will report that the withdrawal has been initiated - but it hasn't.
For a period of time you may have been unable to change your payout address, as this was also locked by admin, however it's now been enabled again.
My wallet address was not changed, does this mean I was not affected?
Dunno why you guys are complaining about a 20 character limit. A nearby B&M regional financial institution (I don't dare say which) will only allow a password between 4 and 8 characters in length. Wish I were joking.
that's the point. there should be no character limit. and like oldminer said, 2-factor authentication helps.
it felt like the hashcows admin were fighting just to keep the site up and running, and left a backdoor open so someone could steal $20,000.
Hashcows should be making money: money enough to hire help with securing their money, and user money. there is already a problem with trust and scams when it comes to sites like this. it took them so long to build up a brand, trust and goodwill, and all that effort was wasted.
otoh, mtgox seems to be surviving, although they lost their primacy in the exhange game a long time ago.
Dunno why you guys are complaining about a 20 character limit. A nearby B&M regional financial institution (I don't dare say which) will only allow a password between 4 and 8 characters in length. Wish I were joking.
This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.
I don't think they really hold funds (in the traditional sense) outside unpaid funds from mining since the last payout cycle. My money was not stolen, but I will change my password anyway even though it is already extremely long.
If this happened to a whole buch of people the hackers probably got a mysql dump and are brute forcing or using wordlist combos to crack as many passwords as they can.
If this happened to a whole buch of people the hackers probably got a mysql dump and are brute forcing or using wordlist combos to crack as many passwords as they can.
so do they got passwords and logged into accounts, or somehow got access to db and changed addresses directly there ?
This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.
I dont store large amounts of coin anywhere online, I already get nervous when my coins are at an exchange just to exchange them ASAP and make a withdrawl, but maybe I am a bit paranoid. 
This is why I never store large amounts of coin or $$ on websites without at least 2-factor authentication.
well I just tried to put in a 30 character long password and it said max 20 , and my old pass was 20 lol
So well, not so well protected
lol So well, not so well protected
"error password too long"
the individual words make up a sentence, but i don't understand what it could mean.
well I just tried to put in a 30 character long password and it said max 20 , and my old pass was 20 lol
So well, not so well protected
So well, not so well protected
My money was not stolen, but I will change my password anyway even though it is already extremely long.
yeah i don't get it; i changed from 'password1' to 'password2' how did they get in? 
Jump to: