Author

Topic: Inputs hacked? (Read 1051 times)

full member
Activity: 168
Merit: 100
November 10, 2013, 03:24:57 PM
#19
I'm really really tired reading the same news olds all over again. Undecided
Though I don't know why I'm writing this and making this thread bumped Cheesy
Can you read the title? If you are tired of the same olds then why did you open this thread?
legendary
Activity: 1512
Merit: 1049
Death to enemies!
November 09, 2013, 09:00:17 PM
#18
And I see i again - not a direct hack (SQLi, 0day vuln) but bypass using e-mail to reset password. I think we should start building more secure schemes that does not involve ability to reset password once forgotten (or unknown by attacker) and that does not require e-mail when registering account.
Have fun recovering your email next time?
I never needed to recover any password in last 6 years. Tormail also did not have password recovery feature and it was great. People must learn to use computers properly and stop and think for a sec instead socializing on facefuck/twatter like dogs in heat.

Also this shows why it is more secure to have real server in your own premises instead of using colocation or VPS that have remote access and yo have no direct control over the hardware. It is really important for security that most people overlook. Why banks don't use Hostgator but use their own secured hardware? Why Bitcoin should be different in this matter?
hero member
Activity: 647
Merit: 501
GainerCoin.com 🔥 Masternode coin 🔥
November 09, 2013, 08:18:23 PM
#17
Hate hackers really, he just make someone's life miserable....
newbie
Activity: 41
Merit: 0
November 09, 2013, 11:01:59 AM
#16
I'm really really tired reading the same news olds all over again. Undecided
Though I don't know why I'm writing this and making this thread bumped Cheesy
b!z
legendary
Activity: 1582
Merit: 1010
November 09, 2013, 09:35:39 AM
#15
Yep, check link in my signature for instructions on getting a refund.
hero member
Activity: 602
Merit: 500
November 09, 2013, 07:05:08 AM
#14
And I see i again - not a direct hack (SQLi, 0day vuln) but bypass using e-mail to reset password. I think we should start building more secure schemes that does not involve ability to reset password once forgotten (or unknown by attacker) and that does not require e-mail when registering account.

This wasn't how it's done. I can still log in using the same password. It had something to do with the API key

Tradefortress claimed that his email chain was hacked. Therefore gaining access to the site and API.
legendary
Activity: 2674
Merit: 2965
Terminated.
November 09, 2013, 02:47:13 AM
#13
And I see i again - not a direct hack (SQLi, 0day vuln) but bypass using e-mail to reset password. I think we should start building more secure schemes that does not involve ability to reset password once forgotten (or unknown by attacker) and that does not require e-mail when registering account.
Have fun recovering your email next time?
sr. member
Activity: 420
Merit: 250
November 08, 2013, 10:09:43 PM
#12
Oh man, email bypass again...... it sucks....
hero member
Activity: 602
Merit: 500
November 08, 2013, 09:28:03 PM
#11
And I see i again - not a direct hack (SQLi, 0day vuln) but bypass using e-mail to reset password. I think we should start building more secure schemes that does not involve ability to reset password once forgotten (or unknown by attacker) and that does not require e-mail when registering account.

It needs to be done. It seems that this is a common problem and the recent news reflects that.
legendary
Activity: 1512
Merit: 1049
Death to enemies!
November 08, 2013, 08:51:10 PM
#10
And I see i again - not a direct hack (SQLi, 0day vuln) but bypass using e-mail to reset password. I think we should start building more secure schemes that does not involve ability to reset password once forgotten (or unknown by attacker) and that does not require e-mail when registering account.
sr. member
Activity: 275
Merit: 250
November 08, 2013, 05:46:03 AM
#9
I think TradeFrotress is really kind enough to give whatever is left. I guess if its another person he would just said the hacker took everything and GONE....
full member
Activity: 238
Merit: 100
November 08, 2013, 01:12:20 AM
#8
yes, good job OP. you can write (at least)
legendary
Activity: 2674
Merit: 2965
Terminated.
November 08, 2013, 12:34:18 AM
#7
Now people are accusing TF of running away with the coins and a full DOX was done here:
https://bitcointalksearch.org/topic/--327178
Accurate or not, many people are now doubting TradeFortress.
Many, not so smart people, indeed.
hero member
Activity: 526
Merit: 500
November 07, 2013, 08:47:07 PM
#6
Yes, which you can ask for partial payment now before the hot wallet goes dry......
legendary
Activity: 1736
Merit: 1029
November 07, 2013, 06:51:02 PM
#5
Now people are accusing TF of running away with the coins and a full DOX was done here:
https://bitcointalksearch.org/topic/--327178
Accurate or not, many people are now doubting TradeFortress.
legendary
Activity: 2674
Merit: 2965
Terminated.
November 07, 2013, 05:43:39 PM
#4
This is like the millionth topic on the same thing.

OH EM GEE YOU SCAMMED ME 1337 BITCOINS

MUST LEAVE U NEG FEEDBACK!
One does simply not scam for leet number of bitcoins.
member
Activity: 112
Merit: 10
November 07, 2013, 05:42:49 PM
#3
This is like the millionth topic on the same thing.

OH EM GEE YOU SCAMMED ME 1337 BITCOINS

MUST LEAVE U NEG FEEDBACK!
legendary
Activity: 2674
Merit: 2965
Terminated.
November 07, 2013, 05:42:07 PM
#2
This is like the millionth topic on the same thing.
full member
Activity: 168
Merit: 100
November 07, 2013, 03:15:24 PM
#1
I went on their site and got this. Check it for yourself:

Sad
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

Database access was also obtained, however passwords are securely stored and are hashed on the client. Bitcoin backend code were transferred to 10;[email protected]:[email protected] (most likely another compromised server).

What about my coins there? If you stored more than 1 BTC, send an email to [email protected] with a Bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you're using on Inputs. Please don't store Bitcoins on an internet connected device, regardless of it is your own or a service's.

I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJSeuZ9AAoJEB7FawRj3T8Th5QH/iapt2DUuyy1j7t51y1N1LOk
+Gu5fdIAV8molXnv+InMQvxtfxWfc7zKiROSP6Zv1cXdvMrCyzKP+SnTEFshIa+0
j2FYOgLeMNmsPSw8yeR1O8vJieYlK+7imEZL4nRKA+O+mjqCT1nTCtBUAVcYQ8Uu
O6BoNLkgT8z/1ZTfw+OK4t2kw9KcC317JOv3yVugfA3xCn4HbKPRP2yFIKR49C7L
w7C2h3L1jHqLerQNjbowcyKH83BFJ2IB0cFZFFCLBI+8NQcUIcIFymxrxUV73Rqa
xlMPX2rPFcIj6yz0ABl1t2rwY2DGOvc33MYCzX82CumLx/qAXCd2uF/jG6fzQ5M=
=Ip/9
-----END PGP SIGNATURE-----


Access inputs.io if you want to verify your balance, look up your transactions, etc. Don't add coins.
Jump to: