Author

Topic: How I almost lost my account. (Read 325 times)

legendary
Activity: 2604
Merit: 2353
June 06, 2024, 04:37:50 PM
#24
Besides that, you could have set a secret question first, you wouldn't need to remember your throwaway address.
Quote
Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
Answer:
Choose carefully, you wouldn't want someone guessing your answer!
https://bitcointalk.org/index.php?action=profile;sa=account
Secret question will trigger an account lock for security reason, it does not help you to recover your account or password.

This feature was disabled after a forum hack (sever compromise) in 2015.
On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT
You are kidding me dude? You are talking about an event that happened almost ten years ago and quoting posts from the same period. I hope everything is back to normal ten years later. If one user has created his account after the 2015 hack, how hackers could have taken his secret question while his account didn't exist? It's not possible. So I guess what's written is true : "It's like a second password."
full member
Activity: 203
Merit: 106
June 04, 2024, 02:17:51 PM
#23
Why would you use a throwaway email address? Don't you know that whoever is running the throwaway email server can get all the messages that the forum sends you?

Apart from that, but anonymous email signup services like simplelogin and passmail (proton pass) completely cover all the benefits of these throwaway email addresses, minus the risk of losing access to email reset.
If I am to be any true to myself, I didn’t dig deep on the what risk I stand to incur by using a throwaway email address and that’s entirely my fault, I am owing that. It wasn’t the original plan and it only became an option after I had tried using my functional email to create an account and the evil IP thing came up. My next trier failed to accept previous email as it had been used and so, the throwaway email became an option. I felt I could change it as time goes and that turned into procrastination coupled with the fact that, I was still getting used to the forum.
It only dawned on me after the incident of a forgotten password and good enough, it wasn’t too late to think and rethink to come up with the combination and make necessary adjustments.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
June 04, 2024, 02:19:00 AM
#22
Why would you use a throwaway email address? Don't you know that whoever is running the throwaway email server can get all the messages that the forum sends you?

Apart from that, but anonymous email signup services like simplelogin and passmail (proton pass) completely cover all the benefits of these throwaway email addresses, minus the risk of losing access to email reset.
sr. member
Activity: 602
Merit: 387
Rollbit is for you. Take $RLB token!
June 03, 2024, 08:06:59 PM
#21
Besides that, you could have set a secret question first, you wouldn't need to remember your throwaway address.
Quote
Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
Answer:
Choose carefully, you wouldn't want someone guessing your answer!
https://bitcointalk.org/index.php?action=profile;sa=account
Secret question will trigger an account lock for security reason, it does not help you to recover your account or password.

This feature was disabled after a forum hack (sever compromise) in 2015.
On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT
full member
Activity: 203
Merit: 106
June 03, 2024, 07:19:52 PM
#20
Apart from the advice given above, it is also very advisable to post your PGP public address so, if you lose access to your account or you are impersonated, you can probe that you are the rightful owner of the account by simply signing a message.

We cannot expect it from the average newbie, I'm afraid, but as you rank up and learn more and more there is a moment when you learn to do that. Hopefully, not too late...
Am doing my best to be above an average newbie, lol!

I have e successfully signed a Bitcoin address as an added safety measure on my account. I'll update that in OP too so, the rest of you could verify with me.
legendary
Activity: 2604
Merit: 2353
June 01, 2024, 02:00:17 PM
#19
Why you haven't used an alias service for your email address instead of using a throwaway email box, I don't understand? Using disposable email addresses is dangerous because even when they allow you to set a password it's usually temporary and one day it can be reset and your address will become available to anyone. In addition domains can become unavailable and any attached address can disapear without any possibility to access it again. For the password it's better to use a password manager, nowadays almost all browsers offer a safe one. And if you add the two-factor authentication, you can store your password almost anywhere since it becomes only one part of your way to login.
Besides that, you could have set a secret question first, you wouldn't need to remember your throwaway address.
Quote
Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
Answer:
Choose carefully, you wouldn't want someone guessing your answer!
https://bitcointalk.org/index.php?action=profile;sa=account
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
June 01, 2024, 12:38:53 PM
#18
An important step is to enable 2FA to further secure your Bitcointalk account login. I don't know how many users already enabled 2FA for their account here, but frankly why wouldn't you want to do it?

In addition as mentioned earlier, you can stake your PGP public address and/or stake a Bitcoin address and sign a message to prove you control the private key of that address. Both will make account recovery a lot easier and possible at all, should your account ever be compromised or lost.
legendary
Activity: 1932
Merit: 2354
The Alliance Of Bitcointalk Translators - ENG>SPA
May 29, 2024, 09:08:37 AM
#17
And, with the stats of the OP, it would've been a loss, but imagine if that happened to a Legendary...

Apart from the advice given above, it is also very advisable to post your PGP public address so, if you lose access to your account or you are impersonated, you can probe that you are the rightful owner of the account by simply signing a message.

We cannot expect it from the average newbie, I'm afraid, but as you rank up and learn more and more there is a moment when you learn to do that. Hopefully, not too late...
member
Activity: 364
Merit: 44
★Bitvest.io★ Play Plinko or Invest
May 29, 2024, 08:55:38 AM
#16
The op deep explanation why the post is created show how some take certain things so common and later begin to see the benefits or course of getting those things they misplaced as a result of negligence. Security and keeping of details is very important no matter how that document may look like, what you neglect can be of help and one must have a means of securing important documents not just online but manual means.
full member
Activity: 1358
Merit: 207
Catalog Websites
May 29, 2024, 07:08:30 AM
#15
I guess you have learned a lesson from this your ignorance, that almost make you to lose your account because you failed to take time to study the forum very well to understand some of the things that will make your details to be in a safe place.

Now you have recovered your account, I believe you will avoid anything that will make your account to be in danger, and you need to concentrate on the rules and quality post so that you will improve in that aspect.


Assume, you don't write all those things down, it would have been difficult for you to recover your details back because there are some newbies that loss their account to scammers because they displayed their details and they didn't write down their details.
legendary
Activity: 1526
Merit: 1359
May 26, 2024, 01:45:04 PM
#14
So to make a long story short, you used a throwaway email address to register, chose a password at random that you did not write down anywhere and later forgot it, and on top of that, had no recovery method like a staked Bitcoin address? Well, I dont know what to say other than... lesson learned the hard way, I hope.

But this is the part that really intrigued me:

At this point, I was completely exhausted and had to take some rest, it was already 14 O'clock. I later woke up,
~

Do you usually go to sleep at 2 pm? How old are you, if I may ask?  Cheesy
hero member
Activity: 686
Merit: 987
Give all before death
May 26, 2024, 01:17:07 PM
#13
What have I done to avert this:
1. Create and have a proper mail address to the account.
2. Create a strong password combination.
3. Writing down my important detail to keep it safely.

What am yet to do but find very necessary and would do:
1. Generate, sign and stake a Bitcoin address to this account.
Everything you have listed is valid. The human brain can malfunction at any time, so we need to have a backup. Writing down your email and password in a paper and keeping them safe is also ideal.

I would say all mistakes you did are stupid mistake, so it will not be a concern to other users.
I don't see it as a stupid mistake. Most members never thought they would be in this forum for this long. I have joined many forums where I lost interest quickly and never became active. Some persons just choose a random email and password to access the forum but don't have any interest in staying at first. Maybe they began to enjoy the forum and decided to stay but forgot to change these important details.
hero member
Activity: 1386
Merit: 513
Payment Gateway Allows Recurring Payments
May 26, 2024, 12:12:59 PM
#12
So you did not have access to your email, that's why you were not able to receive OTP to forget the password? Or in order to reset the password you have to talk with admins? Actually, I never faced this situation, I have written my password somewhere safe, but if the case is, that you have to contact admins or support to reset the password then its a time taking thing. Who would want that, I thought the procedure would be like this, we give recovery mail, and we receive OTP, input it, and can set a new password.

Correct me if its the case. I don't know that's why I asked. Besides, your story is a big lesson for all of us, besides taking proper action you have aforementioned, we should also stake out account here as well, in case we lose access to our accounts.
hero member
Activity: 644
Merit: 661
- Jay -
May 25, 2024, 08:06:15 AM
#11
Good thing you have gotten your account back and also good you have made a note to stake a signed address. That is the ultimate account recovery tool, it also validates changes in email address and password so no one would suspect that the ownership of an account has changed hands.

- Jay -
full member
Activity: 203
Merit: 106
May 25, 2024, 07:43:26 AM
#10
I also can add another one stupid mistake, I forget my login details and I didn't have any back up, then I sold my device.

So I advise you have a password backup book, diary etc where you can write most things down in a book and not just one maybe two at least incase one gets missing which is not supposed to happen but that other will remain.
A better way you can buy steel plate or anything that can resist against fire, corrosion etc just like you back up your seed phrase.
For real? That must have hurt so badly.
So how did you manage to get your account back or it isn't this account your referring as, the referred account is gone for good.

And why didn't you change that sometime after your registration? Anyway, the good thing is that you have your account, and I see that you've now changed your email, so I'm guessing you're safe from it happening again.

Unless this was all a sob story excuse to change email because you sold your account! Haha, I'm joking.
I wouldn't say I have had the thought of changing my password. The thought has crossed my mind once or twice but, I didn't know where to look at the time but, it didn't take long to find though but for no particular reason, I allowed it. Only to be reminded by its necessity with this forgetfulness.

Sold!!! Good joke man, good joke.
Just to think of it, how is that a thing and how can someone seat back and watch his or her built reputation on an account be destroyed by a new owner, using it for all the wrong reasons because of some dollars. Just how much would that be valued anyway!
hero member
Activity: 2786
Merit: 902
yesssir! 🫡
May 25, 2024, 07:37:25 AM
#9
It is scary to think about, because if someone is able to get your one major password, they will have access to all your passwords.
It's not a fool proof setup ofc but IMO it's still better than getting locked up/resetting frequently.. Especially, if you're like me who has hundreds of accounts I dont use everyday lol

However, if you tend to slack on your personal cyber security then it'll come and bite you lol. Keepass for instance stores the database in your device hence you need to keep it clean at all times. A good tip would be to compartmentalize risky stuff to non-risky stuff e.g. get a device that doesn't connect to internet or at least don't do risky stuff on the same device you do important stuff.

I would also suggest enabling 2FA whenever possible so you have a second layer of protection. However, you must keep it in a separate device to maximize security. In a sense, this is also compartmentalizing -- if the device where your password manager gets compromised, your 2fa is likely to be fine as it is in a separate device/environment.

I don't encourage saving passwords with third parties like this because it's more risky than it being lost in your hands than to some kind of hackers.

Have you thought of what happened to Laspass? That's just to tell you that none is save expect your own personal backup.
Note that keepass is a FOSS that stores data locally and encrypted -- on your device. LastPass on the other hand stores them on cloud hence the data leaks weren't surprising to me. I wouldn't trust a stranger to held such important data either.
hero member
Activity: 1680
Merit: 845
May 25, 2024, 12:33:31 AM
#8
Good thing you were able to login back to your account; losing it and not having a way to recover it would suck, and if you hadn't staked your Bitcoin address, it would practically be impossible. I still don't understand why you used a temporary email address, though. I get it not to use your main address, which may also include your name on it, but a completely temporary address you'll never be able to access again is a little careless. And why didn't you change that sometime after your registration? Anyway, the good thing is that you have your account, and I see that you've now changed your email, so I'm guessing you're safe from it happening again.

Unless this was all a sob story excuse to change email because you sold your account! Haha, I'm joking.
hero member
Activity: 854
Merit: 663
May 25, 2024, 12:08:00 AM
#7
I would say all mistakes you did are stupid mistake, so it will not be a concern to other users.

I also can add another one stupid mistake, I forget my login details and I didn't have any back up, then I sold my device.

So I advise you have a password backup book, diary etc where you can write most things down in a book and not just one maybe two at least incase one gets missing which is not supposed to happen but that other will remain.
A better way you can buy steel plate or anything that can resist against fire, corrosion etc just like you back up your seed phrase.
member
Activity: 66
Merit: 5
Eloncoin.org - Mars, here we come!
May 24, 2024, 10:50:05 PM
#6
Although the whole scenario would be sum up with a few words " Be careful of how you treat things, make a good backup for your passwords" etc but you deem it necessary to explain in details how come about the thread.

Personally I don't like the idea of saving passwords on the internet for any reasons. Just imagine that I saved the password to my email that I use for very important part of my life online and one of the sites it's saved in is compromised and everything I have in the mail got hijacked? So I advise you have a password backup book, diary etc where you can write most things down in a book and not just one maybe two at least incase one gets missing which is not supposed to happen but that other will remain.

Perhaps you might be interested on password managers like keepass.info?
I don't encourage saving passwords with third parties like this because it's more risky than it being lost in your hands than to some kind of hackers.

Have you thought of what happened to Laspass? That's just to tell you that none is save expect your own personal backup.
sr. member
Activity: 602
Merit: 387
Rollbit is for you. Take $RLB token!
May 24, 2024, 09:00:59 PM
#5
What made you use throwaway email for this op? as I only use such for accounts I never cared much or willing to throwaway. If you're worried about exposing your email address, perhaps an email alias service could be of some use to you.
theymos advised that if user didn't use an actual email for account registration, a throw away or non existing email for registration, that user can change it to an email address with the forum domain. It's safer.

Make sure that your email address is secure. If you don't want to set an email address, use something like [email protected]; don't use a random nonsense email like [email protected], since somebody might create that domain/email.

Quote
Perhaps you might be interested on password managers like keepass.info? this made things so much more convenient for me as I only need to remember one password to access hundres of my accounts lol. Plus your keepass database is stored locally and is encrypted. Passwords are also better off randomized though computer generated would be better than humans which fortunately, keepass also offers.
[Guide] How to create and use a strong password?

Keepass is available for Android too.
https://keepass.info/
https://keepassxc.org/download/#windows
https://play.google.com/store/apps/details?hl=en&id=com.android.keepass

https://pwsafe.org/
https://proton.me/pass

Avoid LastPass because they have security incident.
full member
Activity: 203
Merit: 106
May 24, 2024, 07:11:07 PM
#4

It is scary to think about, because if someone is able to get your one major password, they will have access to all your passwords. I would prefer if these password managers have the biometric option like fingerprint and facial recognition in addition to passwords for access, that will make it more difficult for someone to gain access.
That’s one of the reason why I didn’t go with the offer from the mailing company to have my password saved with them. A hack on the company or a hack on my mail account could mean a compromise on all my details.
It’s an option still as, at some point, I wished I had it in place but, it didn’t matter anymore after I finally got the correct combination.

Meanwhile, having a Biometric or Face scanner to this doesn’t mean ultimate security even. You still get to save the codes on there ledger/data base and the Biometric verification or face scanner is just a means of access from your device. It doesn’t stop a hacker from hacking the mailing company directly.

Biometric and Face scanner don’t necessarily means best practices to security. In fact, these can be flawed and some one close to you with access to your device could easily show your screen to your face or press your prints to the scanner and your device is open to them.
legendary
Activity: 1456
Merit: 1108
Use chips.gg
May 24, 2024, 06:59:19 PM
#3
Perhaps you might be interested on password managers like keepass.info? this made things so much more convenient for me as I only need to remember one password to access hundres of my accounts lol.
It is scary to think about, because if someone is able to get your one major password, they will have access to all your passwords.

I would prefer to use the biometric options like fingerprint and facial recognition for better security if these password managers have it for access, that will make it more difficult for someone other than me to gain access.
hero member
Activity: 2786
Merit: 902
yesssir! 🫡
May 24, 2024, 06:50:23 PM
#2
What made you use throwaway email for this op? as I only use such for accounts I never cared much or willing to throwaway. If you're worried about exposing your email address, perhaps an email alias service could be of some use to you.

Perhaps you might be interested on password managers like keepass.info? this made things so much more convenient for me as I only need to remember one password to access hundres of my accounts lol. Plus your keepass database is stored locally and is encrypted. Passwords are also better off randomized though computer generated would be better than humans which fortunately, keepass also offers.
full member
Activity: 203
Merit: 106
May 24, 2024, 06:25:39 PM
#1
Negligence can ruin all your hardwork

Now this wasn’t a hack attempt but, as a result of my own negligence that would have proven very costly.

When I joined the forum, I experienced an unforseen difficulty which turned out to be the norm for most new users here. This i expressed in a post I made about Evil fee (Safe means please and Evil IP).
At this point, I already had some triers with what I had then as intended details without success so, I had to proceed with just anything that came to mind.

Now, some of the things I did wrong was:
1. Completely randomizing my mail address as, i noticed from other triers that, verification mails wasn’t sent so, I used a throwaway mail address.
2. My password was completely picked at random as, it was supposed to be temporal.
3. I didn't have the mail address logged in on my device.

Why am I on this narrative;
Earlier today I woke up to what seemed like a nightmare. I tried logging into the forum as I’ve been inactive for a couple of days and as a result, my browser already logged me out.
After inputting my username, I typed in my password and it came out incorrect. I tried a different combination and it still was incorrect. At this point, I knew I was in for real trouble.
I proceeded to get a notepa, wrote down all I thought could be the right combination, input each of them and each time, it came out as incorrect.  After a good number of triers, by default the site sent a mail for password reset as, password recovery was off the books but, I didn't have the mail address logged in. I proceeded to try other combinations until I was told to have exceeded my allowed number of logins and should check back later.

At this point, I was completely exhausted and had to take some rest, it was already 14 O'clock. I later woke up, thought of things I could have done differently and means to recover my account but, without any insurance in place to prove ownership,  I knew my chances if I couldn't arrive at the right combination was almost zero.

When woke about an hour after, I tried again but, I couldn't go for anything different and as such, the password was still incorrect. Then, I went against my will to try what I didn't beleive would be it and then, I was live on my account again. A huge sigh of relief enveloped me in entire. Thoughts of changing the password to something familiar and that which am used to was the next thing but, I chose to be calm and not be hasty about it.

How I got to forget:
I'm not always active here but, am trying to be and the random nature to the details of my account creation wasn't sticky just yet.

What I could have done to avoid this:
1. Proceed to change my details to what isn't picked at random and what I would be familiar with but, I didn't do that at the time.
2. Have my password saved on my devices mail address for auto logins but, this offers a different form of challenge to security and as such, I ignored it.

What have I done to avert this:
1. Create and have a proper mail address to the account.
2. Create a strong password combination.
3. Writing down my important detail to keep it safely.

What am yet to do but find very necessary and would do:
1. Generate, sign and stake a Bitcoin address to this account.
Edited:
Finally got to sign  an address and stake it on meta to mark my account and for reference.
Code:
Message: I am JiiBs on Bitcointalkforum, today is 4th June, 2024. I claim ownership of this account with this address
Address: bc1q8xv4j607vml83fgq8a7cz9ydzs2h0x305lk3ky
Signature:  IG7gZa2GVW4TKvjunpxDH/evkW2Ks8Nl5rQn5GG+OLFPGzoYMgRlwkgq3AC4Wgd9uObhGnnEC1AofRULrQzYYEA=

Though this might be out of my care freeness and was yet to discover just how important and attached this account might be for me, I do hope some users here don't and are not making the same mistakes as I did. It feels very terrible to be in that position or having to recall what your not sure off. Don't procrastinate on what need be down and be sure to follow safe means to account security.



Just after concluding this thread, I see a user seeking help on forgotten password on meta. Forgot password. Assistance needed. from the user Ambatman. That's to say, it could happen to anyone and so, there is a need to take precaution.
Jump to: