Topic: Hundreds of thousand of bitcointalk accounts hacked (Read 8737 times)

If this's a suggestion, then a good to apply in a forum by adding information about the password used when registering. Maybe trusted members (hilariousetc) like you can discuss (PM) with theymos about this.

Hacking accounts has already been an rising issue worldwide. Not only bitcointalk accounts hacked but also many crypto currency exchanges hacked and hackers steal big amount of BTC & ETH. Most of the time hackers use phising site link to make  entry to the account. Nowadays DDOS attack also been  popular. Its another way to disable website security. Many sites integrated many security options to get rid of hacking such as 2fa with sending codes to users email and some are using mobile phone verification method too. But honestly if an user care little about phising site before login to their account and make a regular routine to change password.

They fixed it. They can't do anything about those that didn't change their passwords, but there are auto-lock features for accounts that have remained long-dormant and suddenly reactivate. And trusting a third party is how the passwords were lost. The hacker gained access via the hosting service by social engineering. The passwords were also hashed and salted, but those with weak passwords were bruteforced and broken over time. There's more about the hack at the following link with what happened: https://bitcointalksearch.org/topic/m.11445725

Also, several 2-fa options will be available on the new forum software. There has been a sort of 2f option implemented here though in that now you can lock your account via an email once the details have been changed. It's not ideal but it's better than nothing.

What makes you so sure? +3 years from 2015 db leak, none solutions to this major problem yet except saying that they made announcements.. advising users to take precautions. Their role is not telling us what to do rather deliver the solution themselves. Sure they lack of communication because they suck, they should lead a team to perform the tasks they dislike or don''t have time for.


Alright then tell them to create some basic script to check how strong the chosen password is!. I encourage you to register a new account picking a dumb password like '123456password' you'll see the system doesn't acknowledge it as a vulnerability.. it is a joke! I invite you to try it yourself. The hackers can recognize the same hashes of those users that picked the same password, try searching on google those hashes yourself you will realize how silly this is. Try this: https://hashkiller.co.uk/


ok, then they should become proficient at handling the user database themselves making it secure with the described method above. Which they already demonstrated are not even concerned, for them everything seems to be "fine" or "nothing can be done". They don't care about our requests nor suggestions neither, just take a look on the Meta board to realize how many proposals get ignored and even criticized by ignorant plebs.

I'm sure they are thinking about it and have a solution to overcome this, but the problem is the lack of communication.

it's a problem, members must have a strong password at least this makes hackers have difficulty in carrying out the action.

I think Theymos will not use their services because there is sensitive data that must be shared.

My account AvenG has also been hacked recently, I already started a thread following all the requirements here. Still waiting reply from Admins.



If the hacking cause has already been identified what the hell the Theymos / Cyrus are waiting for to address it then fix it ??. it is not a matter if we the users have a "weak password" it is a matter of how the admins store our passwords because they shouldn't store the passwords themselves, they could hire Google, Amazon or any other service to handle user authentication. If they dislike trusting 3rd parties then they should follow some tutorial about hashing + salting , this way the hacker couldn't brute force the database. Using a strong hashing algorithm combined with another complicated salting algorithm should be incredible difficult to hack, not to mention if they enable 2FA to all of us. This way even those phishing sites wouldn't catch us. Here some video about the subject: YouTube hope someone shares it to them.

The main cause has already been established and that's due to the forum being hacked. People have just brute-forced the leaked password hashes that can be bought online very cheaply now. Anyone who didn't change their password after the leak is susceptible to being hacked. If you had a weak password then that's how they lost their account. Any other lost accounts are usually lost to downloading malware from here in the forum of things infected alt coin wallets, bitcoin doublers and visiting dodgy bitcoin sites and so on, then the rest are probably due to falling victim to phishing.

I believe that this is the main cause of the hacked accounts (phished)

https://bitcointalksearch.org/topic/m.39499059

Warning - unsafe links mentioned --> thebitcointalk.net  and bitcointalk.to  are scam phishing sites <-- Warning - unsafe links mentioned 

my main account wenwen has been hacked 07.20.2017,I can't find my old BTC wallet,now I have to wait for reply from administrator.

My account also hack just few hour before !

https://bitcointalksearch.org/user/sayyedraza-878718

Lets see if Admin can help to recover it

I see your account still posting today, scam selling thread. Couldn't call him out, thread is kept locked.
Your account is part of an admin lead hack, imo.

What other possible reason would they allow 100,000 hacked accounts - easily detectable as i previously explained - free to scam/shill/sig
(1000 of their farmed accounts were previously left in ruins https://bitcointalksearch.org/topic/rizzs-500-1670807 )

Why else would "admin" allow 100,000 accounts to activate and not even respond to members on this issue!
(or the mass farmed account issue)

my account was hacked just the other day with no password or email change notifications.

my original was cybermods

Iv contacted admins with zero response. I had no idea there was a breach in 2015. Im more of a casual lurker and posting maybe 1 or 2 times a month.

With this many accounts getting hacked and the utter clusterf@ck of account spamming on the forums you would think something would be done.

There are so many obvious things that should be done. Hacked accounts get banned until the original owner can prove it's theirs. All accounts that didn't change their passwords after 2015 get locked until confirmed (via a script obviously. Log in with the same IP = unlocked).

Why do the mods keep these massive spam threads open still? If there are 1000 answers over a month the OP obviously doesn't care if you think gambling is good or bad anymore or if you think satoshi will ever be found. I find that I see less spammers because I just don't look at those threads. They all flock to them because it's so easy to blend in and spam.

I'm sure there are better ideas too but that's what I've come up with off the top of my head.

This is really annoying:
https://bitcointalksearch.org/user/g83-92798
https://bitcointalksearch.org/user/dadaas-162087
https://bitcointalksearch.org/user/cointhinker-161195
https://bitcointalksearch.org/user/pangia-90490
https://bitcointalksearch.org/user/easynote-136967

---

It is very clear that the same person/group of people are behind these hacked accounts. It is also a possibility that they are using a bot to spam these one liners. However, Bitcointalk staff doesn't do anything. Maybe they will receive a 7 day ban.

Mine got hacked as well, any idea what to do? I do not receive any email to create a new password...

actual account: https://bitcointalksearch.org/user/alexius89-96934

I'm assuming you're talking about 2FA. The problem is that older accounts are getting hacked so 2FA still wouldn't be set up on them. It seems like a lot of emails must be hacked with the accounts too if you look at the seclog so essentially it'd be useless for this particular problem. It would be good for us though. I heard the new forum should have it.

OMG 
this is really serious problem and need to be attended. I guess they must add additional security here. example 4 combination of numbers to avoid hacking of account 

*Adjusts tinfoil hat* I am seemly rational aren't I?

I don't know. I just don't understand it. I'm looking into that post you mentioned now to understand the context of your post.


2015 so you should be fine.

So when was this data breach?  I think I changed my password like a year ago or so, do I need to change it again?

I would argue that the "wake up" is actually useless and a 'fake' gesture. It doesn't do anything besides confirming what we already knew; it doesn't help the admins either as it is trivial for them to detect this.

What did they tell you the last time, 'find a new hobby' or something?

You're asking the real questions.