How I almost lost my account. | Bitcointalksearch.org

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: BlackBoss_ on June 03, 2024, 08:06:59 PM

Quote from: Saint-loup on June 01, 2024, 02:00:17 PM

Besides that, you could have set a secret question first, you wouldn't need to remember your throwaway address.

Quote

Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
Answer:
Choose carefully, you wouldn't want someone guessing your answer!

https://bitcointalk.org/index.php?action=profile;sa=account

Secret question will trigger an account lock for security reason, it does not help you to recover your account or password.

This feature was disabled after a forum hack (sever compromise) in 2015.

Quote from: theymos on May 25, 2015, 09:39:49 AM

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT

You are kidding me dude? You are talking about an event that happened almost ten years ago and quoting posts from the same period. I hope everything is back to normal ten years later. If one user has created his account after the 2015 hack, how hackers could have taken his secret question while his account didn't exist? It's not possible. So I guess what's written is true : "It's like a second password."

JiiBs

full member

Activity: 203

Merit: 106

Quote from: NotATether on June 04, 2024, 02:19:00 AM

Why would you use a throwaway email address? Don't you know that whoever is running the throwaway email server can get all the messages that the forum sends you?

Apart from that, but anonymous email signup services like simplelogin and passmail (proton pass) completely cover all the benefits of these throwaway email addresses, minus the risk of losing access to email reset.

If I am to be any true to myself, I didn’t dig deep on the what risk I stand to incur by using a throwaway email address and that’s entirely my fault, I am owing that. It wasn’t the original plan and it only became an option after I had tried using my functional email to create an account and the evil IP thing came up. My next trier failed to accept previous email as it had been used and so, the throwaway email became an option. I felt I could change it as time goes and that turned into procrastination coupled with the fact that, I was still getting used to the forum.
It only dawned on me after the incident of a forgotten password and good enough, it wasn’t too late to think and rethink to come up with the combination and make necessary adjustments.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Why would you use a throwaway email address? Don't you know that whoever is running the throwaway email server can get all the messages that the forum sends you?

Apart from that, but anonymous email signup services like simplelogin and passmail (proton pass) completely cover all the benefits of these throwaway email addresses, minus the risk of losing access to email reset.

BlackBoss_

sr. member

Activity: 602

Merit: 387

Rollbit is for you. Take $RLB token!

Quote from: Saint-loup on June 01, 2024, 02:00:17 PM

Besides that, you could have set a secret question first, you wouldn't need to remember your throwaway address.

Quote

Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
Answer:
Choose carefully, you wouldn't want someone guessing your answer!

https://bitcointalk.org/index.php?action=profile;sa=account

Secret question will trigger an account lock for security reason, it does not help you to recover your account or password.

This feature was disabled after a forum hack (sever compromise) in 2015.

Quote from: theymos on May 25, 2015, 09:39:49 AM

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT

JiiBs

full member

Activity: 203

Merit: 106

Quote from: Porfirii on May 29, 2024, 09:08:37 AM

Apart from the advice given above, it is also very advisable to post your PGP public address so, if you lose access to your account or you are impersonated, you can probe that you are the rightful owner of the account by simply signing a message.

We cannot expect it from the average newbie, I'm afraid, but as you rank up and learn more and more there is a moment when you learn to do that. Hopefully, not too late...

Am doing my best to be above an average newbie, lol!

I have e successfully signed a Bitcoin address as an added safety measure on my account. I'll update that in OP too so, the rest of you could verify with me.

Saint-loup

legendary

Activity: 2604

Merit: 2353

Why you haven't used an alias service for your email address instead of using a throwaway email box, I don't understand? Using disposable email addresses is dangerous because even when they allow you to set a password it's usually temporary and one day it can be reset and your address will become available to anyone. In addition domains can become unavailable and any attached address can disapear without any possibility to access it again. For the password it's better to use a password manager, nowadays almost all browsers offer a safe one. And if you add the two-factor authentication, you can store your password almost anywhere since it becomes only one part of your way to login.
Besides that, you could have set a secret question first, you wouldn't need to remember your throwaway address.

Quote

Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
Answer:
Choose carefully, you wouldn't want someone guessing your answer!

https://bitcointalk.org/index.php?action=profile;sa=account

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

An important step is to enable 2FA to further secure your Bitcointalk account login. I don't know how many users already enabled 2FA for their account here, but frankly why wouldn't you want to do it?

In addition as mentioned earlier, you can stake your PGP public address and/or stake a Bitcoin address and sign a message to prove you control the private key of that address. Both will make account recovery a lot easier and possible at all, should your account ever be compromised or lost.

Porfirii

legendary

Activity: 1932

Merit: 2354

The Alliance Of Bitcointalk Translators - ENG>SPA

And, with the stats of the OP, it would've been a loss, but imagine if that happened to a Legendary...

Apart from the advice given above, it is also very advisable to post your PGP public address so, if you lose access to your account or you are impersonated, you can probe that you are the rightful owner of the account by simply signing a message.

We cannot expect it from the average newbie, I'm afraid, but as you rank up and learn more and more there is a moment when you learn to do that. Hopefully, not too late...

Uhwuchukwu53

member

Activity: 364

Merit: 44

★Bitvest.io★ Play Plinko or Invest

The op deep explanation why the post is created show how some take certain things so common and later begin to see the benefits or course of getting those things they misplaced as a result of negligence. Security and keeping of details is very important no matter how that document may look like, what you neglect can be of help and one must have a means of securing important documents not just online but manual means.

Zanab247

full member

Activity: 1358

Merit: 207

Catalog Websites

I guess you have learned a lesson from this your ignorance, that almost make you to lose your account because you failed to take time to study the forum very well to understand some of the things that will make your details to be in a safe place.

Now you have recovered your account, I believe you will avoid anything that will make your account to be in danger, and you need to concentrate on the rules and quality post so that you will improve in that aspect.

Assume, you don't write all those things down, it would have been difficult for you to recover your details back because there are some newbies that loss their account to scammers because they displayed their details and they didn't write down their details.

Stalker22

legendary

Activity: 1526

Merit: 1359

So to make a long story short, you used a throwaway email address to register, chose a password at random that you did not write down anywhere and later forgot it, and on top of that, had no recovery method like a staked Bitcoin address? Well, I dont know what to say other than... lesson learned the hard way, I hope.

But this is the part that really intrigued me:

Quote from: JiiBs on May 24, 2024, 06:25:39 PM

At this point, I was completely exhausted and had to take some rest, it was already 14 O'clock. I later woke up,
~

Do you usually go to sleep at 2 pm? How old are you, if I may ask? Cheesy

Die_empty

hero member

Activity: 686

Merit: 987

Give all before death

Quote from: JiiBs on May 24, 2024, 06:25:39 PM

What have I done to avert this:
1. Create and have a proper mail address to the account.
2. Create a strong password combination.
3. Writing down my important detail to keep it safely.

What am yet to do but find very necessary and would do:
1. Generate, sign and stake a Bitcoin address to this account.

Everything you have listed is valid. The human brain can malfunction at any time, so we need to have a backup. Writing down your email and password in a paper and keeping them safe is also ideal.

Quote from: Plaguedeath on May 25, 2024, 12:08:00 AM

I would say all mistakes you did are stupid mistake, so it will not be a concern to other users.

I don't see it as a stupid mistake. Most members never thought they would be in this forum for this long. I have joined many forums where I lost interest quickly and never became active. Some persons just choose a random email and password to access the forum but don't have any interest in staying at first. Maybe they began to enjoy the forum and decided to stay but forgot to change these important details.

Faisal2202

hero member

Activity: 1386

Merit: 513

Payment Gateway Allows Recurring Payments

So you did not have access to your email, that's why you were not able to receive OTP to forget the password? Or in order to reset the password you have to talk with admins? Actually, I never faced this situation, I have written my password somewhere safe, but if the case is, that you have to contact admins or support to reset the password then its a time taking thing. Who would want that, I thought the procedure would be like this, we give recovery mail, and we receive OTP, input it, and can set a new password.

Correct me if its the case. I don't know that's why I asked. Besides, your story is a big lesson for all of us, besides taking proper action you have aforementioned, we should also stake out account here as well, in case we lose access to our accounts.

un_rank

hero member

Activity: 644

Merit: 661

- Jay -

Good thing you have gotten your account back and also good you have made a note to stake a signed address. That is the ultimate account recovery tool, it also validates changes in email address and password so no one would suspect that the ownership of an account has changed hands.

- Jay -

JiiBs

full member

Activity: 203

Merit: 106

Quote from: Plaguedeath on May 25, 2024, 12:08:00 AM

I also can add another one stupid mistake, I forget my login details and I didn't have any back up, then I sold my device.

Quote from: Churchillvv on May 24, 2024, 10:50:05 PM

So I advise you have a password backup book, diary etc where you can write most things down in a book and not just one maybe two at least incase one gets missing which is not supposed to happen but that other will remain.

A better way you can buy steel plate or anything that can resist against fire, corrosion etc just like you back up your seed phrase.

For real? That must have hurt so badly.
So how did you manage to get your account back or it isn't this account your referring as, the referred account is gone for good.

Quote from: Ultegra134 on May 25, 2024, 12:33:31 AM

And why didn't you change that sometime after your registration? Anyway, the good thing is that you have your account, and I see that you've now changed your email, so I'm guessing you're safe from it happening again.

Unless this was all a sob story excuse to change email because you sold your account! Haha, I'm joking.

I wouldn't say I have had the thought of changing my password. The thought has crossed my mind once or twice but, I didn't know where to look at the time but, it didn't take long to find though but for no particular reason, I allowed it. Only to be reminded by its necessity with this forgetfulness.

Sold!!! Good joke man, good joke.
Just to think of it, how is that a thing and how can someone seat back and watch his or her built reputation on an account be destroyed by a new owner, using it for all the wrong reasons because of some dollars. Just how much would that be valued anyway!

Potato Chips

hero member

Activity: 2786

Merit: 902

yesssir! 🫡

Quote from: Rruchi man on May 24, 2024, 06:59:19 PM

It is scary to think about, because if someone is able to get your one major password, they will have access to all your passwords.

It's not a fool proof setup ofc but IMO it's still better than getting locked up/resetting frequently.. Especially, if you're like me who has hundreds of accounts I dont use everyday lol

However, if you tend to slack on your personal cyber security then it'll come and bite you lol. Keepass for instance stores the database in your device hence you need to keep it clean at all times. A good tip would be to compartmentalize risky stuff to non-risky stuff e.g. get a device that doesn't connect to internet or at least don't do risky stuff on the same device you do important stuff.

I would also suggest enabling 2FA whenever possible so you have a second layer of protection. However, you must keep it in a separate device to maximize security. In a sense, this is also compartmentalizing -- if the device where your password manager gets compromised, your 2fa is likely to be fine as it is in a separate device/environment.

Quote from: Churchillvv on May 24, 2024, 10:50:05 PM

I don't encourage saving passwords with third parties like this because it's more risky than it being lost in your hands than to some kind of hackers.

Have you thought of what happened to Laspass? That's just to tell you that none is save expect your own personal backup.

Note that keepass is a FOSS that stores data locally and encrypted -- on your device. LastPass on the other hand stores them on cloud hence the data leaks weren't surprising to me. I wouldn't trust a stranger to held such important data either.

Ultegra134

hero member

Activity: 1680

Merit: 845

Good thing you were able to login back to your account; losing it and not having a way to recover it would suck, and if you hadn't staked your Bitcoin address, it would practically be impossible. I still don't understand why you used a temporary email address, though. I get it not to use your main address, which may also include your name on it, but a completely temporary address you'll never be able to access again is a little careless. And why didn't you change that sometime after your registration? Anyway, the good thing is that you have your account, and I see that you've now changed your email, so I'm guessing you're safe from it happening again.

Unless this was all a sob story excuse to change email because you sold your account! Haha, I'm joking.

Plaguedeath

hero member

Activity: 854

Merit: 663

I would say all mistakes you did are stupid mistake, so it will not be a concern to other users.

I also can add another one stupid mistake, I forget my login details and I didn't have any back up, then I sold my device.

Quote from: Churchillvv on May 24, 2024, 10:50:05 PM

So I advise you have a password backup book, diary etc where you can write most things down in a book and not just one maybe two at least incase one gets missing which is not supposed to happen but that other will remain.

A better way you can buy steel plate or anything that can resist against fire, corrosion etc just like you back up your seed phrase.

Churchillvv

member

Activity: 66

Merit: 5

Eloncoin.org - Mars, here we come!

Although the whole scenario would be sum up with a few words " Be careful of how you treat things, make a good backup for your passwords" etc but you deem it necessary to explain in details how come about the thread.

Personally I don't like the idea of saving passwords on the internet for any reasons. Just imagine that I saved the password to my email that I use for very important part of my life online and one of the sites it's saved in is compromised and everything I have in the mail got hijacked? So I advise you have a password backup book, diary etc where you can write most things down in a book and not just one maybe two at least incase one gets missing which is not supposed to happen but that other will remain.

Quote from: Potato Chips on May 24, 2024, 06:50:23 PM

Perhaps you might be interested on password managers like keepass.info?

I don't encourage saving passwords with third parties like this because it's more risky than it being lost in your hands than to some kind of hackers.

Have you thought of what happened to Laspass? That's just to tell you that none is save expect your own personal backup.

BlackBoss_

sr. member

Activity: 602

Merit: 387

Rollbit is for you. Take $RLB token!

Quote from: Potato Chips on May 24, 2024, 06:50:23 PM

What made you use throwaway email for this op? as I only use such for accounts I never cared much or willing to throwaway. If you're worried about exposing your email address, perhaps an email alias service could be of some use to you.

theymos advised that if user didn't use an actual email for account registration, a throw away or non existing email for registration, that user can change it to an email address with the forum domain. It's safer.

Quote from: theymos on December 21, 2023, 01:51:38 PM

Make sure that your email address is secure. If you don't want to set an email address, use something like [email protected]; don't use a random nonsense email like [email protected], since somebody might create that domain/email.

Quote

Perhaps you might be interested on password managers like keepass.info? this made things so much more convenient for me as I only need to remember one password to access hundres of my accounts lol. Plus your keepass database is stored locally and is encrypted. Passwords are also better off randomized though computer generated would be better than humans which fortunately, keepass also offers.

[Guide] How to create and use a strong password?

Keepass is available for Android too.
https://keepass.info/
https://keepassxc.org/download/#windows
https://play.google.com/store/apps/details?hl=en&id=com.android.keepass

https://pwsafe.org/
https://proton.me/pass

Avoid LastPass because they have security incident.

Topic: How I almost lost my account. (Read 325 times)