Pages:
Author

Topic: Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred - page 31. (Read 158152 times)

legendary
Activity: 1008
Merit: 1000
The GPG signed message on inputs.io and the GPG key that TF has previously used are DIFFERENT

Do not trust anything signed that is not signed with key ID 2048D/2E67C3DF. This is the key TF always used and we have no reason to believe he would use a different key now

Archived version of glados.cc from http://web.archive.org/web/20130606204001/http://glados.cc/ says that his GPG key is 2E67C3DF. See for yourself.
sr. member
Activity: 322
Merit: 250
The GPG signed message on inputs.io and the GPG key that TF has previously used are DIFFERENT

Do not trust anything signed that is not signed with key ID 2048D/2E67C3DF. This is the key TF always used and we have no reason to believe he would use a different key now
legendary
Activity: 1582
Merit: 1002
I just replied to your email, asking for your Bitcoin address.
I have sent you an address.

BTW, I think storing 4100 BTC (!) on hot wallet is somewhat an insanity and hope other service operators will not repeat this mistake!
sr. member
Activity: 322
Merit: 250
Hello, chiming in here. The GPG signed message on the website doesn't check out. I saved the key that he had on glados.cc, and the key ID is 2E67C3DF, but when I checked this message, the key is 63DD3F13. What's the reason behind this TF?
vip
Activity: 1316
Merit: 1043
👻
This doesn't look good, https://inputs.io shows this message.

Quote
404 BTC not found

Two hacks have left Inputs unable to pay

Woah, this admittedly IS looking bad now Sad TradeFortress, please give us an update?
I have some feelings that you won't see any updates from Inputs.io!  Sad

I just replied to your email, asking for your Bitcoin address.
legendary
Activity: 1652
Merit: 1128
That's just over a million at current exchange rates. Gotta say I'm finding it a little hard to believe he was actually hacked and this isn't just another long con, though I'd like to believe that isn't the case.
legendary
Activity: 1652
Merit: 1128
Full message on his website.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

Database access was also obtained, however passwords are securely stored and are hashed on the client. Bitcoin backend code were transferred to 10;[email protected]:[email protected] (most likely another compromised server).

What about my coins there? If you stored more than 1 BTC, send an email to [email protected] with a Bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you're using on Inputs. Please don't store Bitcoins on an internet connected device, regardless of it is your own or a service's.

I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJSeuZ9AAoJEB7FawRj3T8Th5QH/iapt2DUuyy1j7t51y1N1LOk
+Gu5fdIAV8molXnv+InMQvxtfxWfc7zKiROSP6Zv1cXdvMrCyzKP+SnTEFshIa+0
j2FYOgLeMNmsPSw8yeR1O8vJieYlK+7imEZL4nRKA+O+mjqCT1nTCtBUAVcYQ8Uu
O6BoNLkgT8z/1ZTfw+OK4t2kw9KcC317JOv3yVugfA3xCn4HbKPRP2yFIKR49C7L
w7C2h3L1jHqLerQNjbowcyKH83BFJ2IB0cFZFFCLBI+8NQcUIcIFymxrxUV73Rqa
xlMPX2rPFcIj6yz0ABl1t2rwY2DGOvc33MYCzX82CumLx/qAXCd2uF/jG6fzQ5M=
=Ip/9
-----END PGP SIGNATURE-----
legendary
Activity: 1582
Merit: 1002
This doesn't look good, https://inputs.io shows this message.

Quote
404 BTC not found

Two hacks have left Inputs unable to pay

Woah, this admittedly IS looking bad now Sad TradeFortress, please give us an update?
I have some feelings that you won't see any updates from Inputs.io!  Sad
newbie
Activity: 57
Merit: 0
This doesn't look good, https://inputs.io shows this message.

Quote
404 BTC not found

Two hacks have left Inputs unable to pay

Woah, this admittedly IS looking bad now Sad TradeFortress, please give us an update?

Update please, why this message, what is the timeframe for processing withdrawals again?
legendary
Activity: 2198
Merit: 1989
฿uy ฿itcoin
Why is my "hotpocket empty"?

Same happened here.

Have all (or most of) funds from "hot wallets" been removed to cold storage?

First: it's not your hot pocket, it's inputs'.

I guess TF moved all coins to a secure cold wallet until he fixed the security breaches.

So calm down and use electrum to keep huge amounts next time Smiley

Any news from TF?

He said he'll bring us an update soon, so we'll hear from him soon enough.
legendary
Activity: 1008
Merit: 1000
This doesn't look good, https://inputs.io shows this message.

Quote
404 BTC not found

Two hacks have left Inputs unable to pay

Woah, this admittedly IS looking bad now Sad TradeFortress, please give us an update?
sr. member
Activity: 294
Merit: 250
Googled "side channel", it is said its Xen's hole.
input.io use aws, and aws is base on Xen.

This is very misleading. Side channel attack is a whole group of attacks, but this term is commonly used when talking about cryptography (please see https://en.wikipedia.org/wiki/Side_channel_attack, and in the rare event that you are really into it http://www.sidechannelattacks.com/a.aspx).

I can't think of any reason why someone would say this was a side channel attack (actually, sic: "like a 'side channel' attack"), except to disguise the shame of the actual bug(s) found that won't be properly disclosed. It's time to get honest and drop the text about "most secure wallet ever created".
sr. member
Activity: 728
Merit: 253
A Blockchain Mobile Operator With Token Rewards
I haven't lost any money - but I just need to move some around.  If you can let me know the soonest when I can do this...thanks! Just 2 BTC...
newbie
Activity: 45
Merit: 0
Googled "side channel", it is said its Xen's hole.
input.io use aws, and aws is base on Xen.

so , maybe TF is busing moving input.io from aws to some physical machine.
That's why it took so long.




hope so
legendary
Activity: 1050
Merit: 1004
I suspect that this could be a faucet code issue and not a inputs.io problem

This hacker may be targeting sites that surely would have had an input.io account with API enabled, looking for vulnerability, trying to obtain read privileges of the config.php in which almost all current faucet keep it in plain API key and pin codes

I've also found a strange activity on my site and services overflow attempts, but without any success

Yep, makes sense.
member
Activity: 70
Merit: 10
Googled "side channel", it is said its Xen's hole.
input.io use aws, and aws is base on Xen.

so , maybe TF is busing moving input.io from aws to some physical machine.
That's why it took so long.

sr. member
Activity: 336
Merit: 250
Yes, calm is the only way here. If you can't be calm, don't trust external sites with you btc.

Take care of them yourself.
legendary
Activity: 2198
Merit: 1989
฿uy ฿itcoin
CoinLenders should probably have it's withdraw disabled - I withdrew and found nothing shows up in my Inputs.IO wallet... then I come and look and the API is disabled. (which is probably why the deposit part didn't take effect)

CoinLenders should probably have caught some sort of error and not deducted my balance... hopefully this item is easy to fix and get balances right!

My luck is not too good these days - lose some BTC to an "auto-refund" by Coinbase and now to API key for CoinLenders...

I agree with your suggestion. I withdraw 5 BTC yesterday from Coinlenders and they never show up in inputs. I've sending email to TF and not receive any reply for this. This might be a serious problem for all of us.

I guess he won't be answering email for a while since he is really busy. He already said that he will refund everyone so you probably shouldn't worry about those 5 BTC.
member
Activity: 70
Merit: 10
Why is my "hotpocket empty"?

Same happened here.

Have all (or most of) funds from "hot wallets" been removed to cold storage?

First: it's not your hot pocket, it's inputs'.

I guess TF moved all coins to a secure cold wallet until he fixed the security breaches.

So calm down and use electrum to keep huge amounts next time Smiley

Any news from TF?

No, and when i withdraw from input.io, got "hotpocket empty"
full member
Activity: 229
Merit: 101
Why is my "hotpocket empty"?

Same happened here.

Have all (or most of) funds from "hot wallets" been removed to cold storage?

First: it's not your hot pocket, it's inputs'.

I guess TF moved all coins to a secure cold wallet until he fixed the security breaches.

So calm down and use electrum to keep huge amounts next time Smiley

Any news from TF?
Pages:
Jump to: