Pages:
Author

Topic: Influx of Hacked Accounts - page 3. (Read 3684 times)

qwk
donator
Activity: 3542
Merit: 3413
Shitcoin Minimalist
May 25, 2015, 04:12:40 PM
#25
sr. member
Activity: 266
Merit: 250
May 25, 2015, 04:02:24 PM
#24
Alot of people use fake emails since no confirmation is needed when you signup, and what if i lost the password to the email that i signed up with?

They have a week to manually reset and update their email address. It is very irresponsible to setup an account and lose track of your throwaway email credentials. Any other accounts will be lost unless its a known member who can prove its them to theymos directly.

This would be a good opportunity to clear off many garbage shill accounts as well as they are more likely using fake email accounts.

Its not the end of the world if a few old anonymous accounts get frozen either and is a much better alternative than a bunch of compromised accounts start scamming people.
its not a matter of having throwaway emails, its a matter of not having made an email at all, just putting something where you should put your email address.
The hacked accounts make it pretty clear that either the passwords weren't salted,

What hacked accounts?
sr. member
Activity: 266
Merit: 250
May 25, 2015, 03:52:30 PM
#23
What needs to happen for security is any accounts that do not have their password reset manually within a week should have their passwords revoked and automatically reset where they can only be recovered with an email being sent with a recovery link to the address on file.
Alot of people use fake emails since no confirmation is needed when you signup, and what if i lost the password to the email that i signed up with?
sr. member
Activity: 266
Merit: 250
May 25, 2015, 03:38:46 PM
#22
I've already seen several suspicious accounts which I've noted down mentally.
The thing is, many old users left bitcointalk for a long time but they received an email saying they need to change their passwords, therefore an influx of old users will come back
staff
Activity: 3304
Merit: 4115
May 25, 2015, 02:47:18 PM
#21
At least right now, peoples senses are heighted and will be more alert to anything suspicious. Im more worryied for when nothing major has happended and people forget about security protocol and send their Bitcoin without seeking the verification that they would right now.

Which happens all the time, I've escrowed a few people. And they all seem to just want to get the trade done as quick as possible. bar a few.

At least at this present moment in time, users have more than likely upgraded their passwords. There probably isn't too much to worry about for the majority. The hacker only had a few minutes, so was probably unlikely to get the whole dump. However, it should be treated as though he has obtained every bit of information.
legendary
Activity: 1862
Merit: 1004
May 25, 2015, 02:44:07 PM
#20
There shouldn't be a problem with using escrows and the like, they can sign an address they've used previously. Or verify with PGP. To be honest, before any escrow trade goes through regardless of the suspicious the account could be hacked or not verifying they are who they say they are should always be done prior to the trade.

And, if you want to verify any other member, I'm sure sending them a message requesting a signature with a valid reason wouldn't be a problem for most users.
That's the idea, you should always stay alert. Knowing that a lot of accounts could be compromised right now you should stay extra vigilant. If you notice that someone is trying to take out a loan or sell something without escrow or collateral just don't fell for it.
legendary
Activity: 1778
Merit: 1043
#Free market
May 25, 2015, 02:43:21 PM
#19
I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

Yeah I've seen some old accounts just started posting again today after years of not being used Sad.

Which ones? Maybe a list should be compiled, though what Quickseller said in another thread will also be relevant that many older inactive members will be likely to return to change their passwords by the email they received from theymos.


Exactly, it could be a possibility but we should stay always on alert.... why an old member should make a trade after his return here in the forum? This is the suspicious thing. Like someone told here in this thread, ask always a signed message from a bitcoin address and PGP key.
sr. member
Activity: 322
Merit: 250
May 25, 2015, 02:40:30 PM
#18
How long would it take for the hacker(s) to get a password from the password hash and salt they stole?

How many accounts could they hack in a given period of time?

There must be a limit on the number of accounts they can access, so I assume they will go for the most useful looking ones and ignore low ranks.

It would take them a few hours to hack all the users with weak passwords. And a few days for users with medium difficulty password. See on the table.


There would be no limit to them, because they already downloaded the database. They can test it on their pc offline.
global moderator
Activity: 3990
Merit: 2713
Join the world-leading crypto sportsbook NOW!
May 25, 2015, 02:36:28 PM
#17
I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

Yeah I've seen some old accounts just started posting again today after years of not being used Sad.

Which ones? Maybe a list should be compiled, though what Quickseller said in another thread will also be relevant that many older inactive members will be likely to return to change their passwords by the email they received from theymos.
sr. member
Activity: 322
Merit: 250
May 25, 2015, 02:35:31 PM
#16
I have seen people claiming that their BCT and email accounts are hacked (their passwords were reset). Now it's getting difficult to even trust the old trusted members. Trading will be more difficult if any escrow's account was hacked.

It is not that hard, the users can still sign using their know bitcoin address prove their identity.

That's not the issue but now there might be many users who will claim their accounts as being hacked. Theymos will be having a tough time to recover these accounts and if these users have used their email accounts or bitcoin accounts with the same password, then chances of recovering their account is almost nil.

Theymos will not be recovering those accounts that cannot signed using their bitcoin address. Even so they can signed very few accounts will be restored as this is not theymos priority.
sr. member
Activity: 296
Merit: 250
May 25, 2015, 02:34:07 PM
#15
How long would it take for the hacker(s) to get a password from the password hash and salt they stole?

How many accounts could they hack in a given period of time?

There must be a limit on the number of accounts they can access, so I assume they will go for the most useful looking ones and ignore low ranks.
staff
Activity: 3304
Merit: 4115
May 25, 2015, 02:27:24 PM
#14
There shouldn't be a problem with using escrows and the like, they can sign an address they've used previously. Or verify with PGP. To be honest, before any escrow trade goes through regardless of the suspicious the account could be hacked or not verifying they are who they say they are should always be done prior to the trade.

And, if you want to verify any other member, I'm sure sending them a message requesting a signature with a valid reason wouldn't be a problem for most users.
legendary
Activity: 1456
Merit: 1000
May 25, 2015, 02:13:23 PM
#13
I would agree this could become an issue.  When dealing with someone for a while after this it might be worth looking if there is a big gap in posting dates.   

I don't know where this will lead.  So many different and a little scary options.  Will who ever use the accounts?   Sell information for money?   Send emails crafted to load malware to account specific emails? Go after IP address of miners looking for weakness?  I hope we see nothing out of it and just are more cautious.  But I have no idea what this will all lead to.
legendary
Activity: 2632
Merit: 1094
May 25, 2015, 02:04:46 PM
#12
I have seen people claiming that their BCT and email accounts are hacked (their passwords were reset). Now it's getting difficult to even trust the old trusted members. Trading will be more difficult if any escrow's account was hacked.

It is not that hard, the users can still sign using their know bitcoin address prove their identity.

That's not the issue but now there might be many users who will claim their accounts as being hacked. Theymos will be having a tough time to recover these accounts and if these users have used their email accounts or bitcoin accounts with the same password, then chances of recovering their account is almost nil.
legendary
Activity: 1414
Merit: 1077
May 25, 2015, 01:51:57 PM
#11
I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

Yeah I've seen some old accounts just started posting again today after years of not being used Sad.
sr. member
Activity: 322
Merit: 250
May 25, 2015, 01:49:29 PM
#10
I have seen people claiming that their BCT and email accounts are hacked (their passwords were reset). Now it's getting difficult to even trust the old trusted members. Trading will be more difficult if any escrow's account was hacked.

It is not that hard, the users can still sign using their known bitcoin address prove their identity.
legendary
Activity: 2632
Merit: 1094
May 25, 2015, 01:42:48 PM
#9
I have seen people claiming that their BCT and email accounts are hacked (their passwords were reset). Now it's getting difficult to even trust the old trusted members. Trading will be more difficult if any escrow's account was hacked.
hero member
Activity: 1064
Merit: 505
May 25, 2015, 01:34:23 PM
#8
I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

Agreed, also be especially careful trading with people. Even if no one gets hacked, I foresee some people scamming, and then trying to claim they were hacked to waive their liability.

The thing is, how can we actually mitigate that risk? Say someone is trading with me, how can they be sure that a) I'm not hacked and b) the escrow we're using isn't hacked. Especially as the escrows will be the primary targets.

The normal. Signed message via Bitcoin address or PGP.

Some people cant provide that. Lock all accounts untill their passwords are changed? Or maybe lock high rank accounts only until the password is changed, or only allow to unlock those accounts if proof of ownership is provided?
copper member
Activity: 2996
Merit: 2374
May 25, 2015, 01:33:34 PM
#7
I have a feeling we will be seeing a lot of hacked accounts in the near future (abandoned but high ranked accounts for example). Stay alert guys!

Agreed, also be especially careful trading with people. Even if no one gets hacked, I foresee some people scamming, and then trying to claim they were hacked to waive their liability.

The thing is, how can we actually mitigate that risk? Say someone is trading with me, how can they be sure that a) I'm not hacked and b) the escrow we're using isn't hacked. Especially as the escrows will be the primary targets.

The normal. Signed message via Bitcoin address or PGP.
This.

It is always a good idea to take this precaution, however now it is even more important to verify this.
staff
Activity: 3304
Merit: 4115
May 25, 2015, 01:32:28 PM
#6
The thing is, how can we actually mitigate that risk? Say someone is trading with me, how can they be sure that a) I'm not hacked and b) the escrow we're using isn't hacked. Especially as the escrows will be the primary targets.

The normal. Signed message via Bitcoin address or PGP.
Pages:
Jump to: