Wait, why do mining workers even HAVE passwords?
I also never understood this...
Topic: Is this a security issue? Massive worker un & pw list found through google ... (Read 4026 times)
September 23, 2011, 06:27:32 AM
I also never understood this...
September 23, 2011, 06:23:35 AM
Wait, why do mining workers even HAVE passwords?
I also never understood this...
September 23, 2011, 06:20:45 AM
Wait, why do mining workers even HAVE passwords?
September 23, 2011, 05:20:16 AM
Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
Not trivially; I don't think pushpoold supports storing worker passwords as anything other than plaintext. September 23, 2011, 12:04:26 AM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.
B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.
C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.
Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They aren't "important", they are a mere formality.
The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.
I'm pretty sure that responsibility lies with the user themselves. After all, if you use the same key for your car, house, boat, storage unit, etc. who's fault is it really? Maybe it's time to start a business doing compromised password insurance...
Yes, of course it's the user's responsibility. That's why I called those one-in-a-million users "dumb-asses".
But if the coder is too lazy to spare one line of code to encrypt a useless password then I wouldn't trust that same coder to process my transactions.
By the end of the day, this is yet another security breach and another blow to the credibility of Bitcoins. Whether you used nofeemining or not, whether you chose strong passwords or not doesn't matter, because you were still hurt by this security breach.
September 22, 2011, 11:10:42 PM
And yet several people already had their email account compromised.
The lesson here is that every password the user types is important
...only if they are an idiot. If you operate by the 'no child left behind' policy, you end up with a whole classroom full of simpletons.
Side note: the pool I use (ArsBitcoin) states in bolded red text that worker names and passwords are stored as plaintext.
September 22, 2011, 10:45:39 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.
B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.
C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.
Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They aren't "important", they are a mere formality.
The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.
I'm pretty sure that responsibility lies with the user themselves. After all, if you use the same key for your car, house, boat, storage unit, etc. who's fault is it really? Maybe it's time to start a business doing compromised password insurance...
September 22, 2011, 09:24:07 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.
B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.
C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.
Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They aren't "important", they are a mere formality.
The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.
September 22, 2011, 09:18:27 PM
They aren't "important", they are a mere formality.
problem is, careless people re-use passwords elsewhere like on their email accounts.
September 22, 2011, 09:14:01 PM
These are passwords from bitcoinpool.com
nofeemining, brother. read the thread.
I stand corrected, i noticed a lot of usernames that match bitcoinpool users.
I am sure there is plenty of overlap, particularly the hoppers.
I just don't get why anyone sets their miner names/passwords to anything but default...like I said, they are completely arbitrary.
September 22, 2011, 09:12:33 PM
These are passwords from bitcoinpool.com
nofeemining, brother. read the thread.
I stand corrected, i noticed a lot of usernames that match bitcoinpool users.
September 22, 2011, 09:10:21 PM
These are passwords from bitcoinpool.com
nofeemining, brother. read the thread.
September 22, 2011, 09:04:02 PM
These are passwords from bitcoinpool.com
September 22, 2011, 08:57:37 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.
B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.
C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.
Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They aren't "important", they are a mere formality.
September 22, 2011, 08:49:39 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.
B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.
C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.
Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
September 22, 2011, 03:19:25 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.
B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.
C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.
Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
September 22, 2011, 03:13:33 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.
B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.
C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.
September 22, 2011, 03:11:04 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
We managed to minimize the damage on our end though only about 1 or 2 coins were lost.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
We managed to minimize the damage on our end though only about 1 or 2 coins were lost.
Glad to hear this will be corrected
September 22, 2011, 03:09:29 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!
Would advise all users to get their miners away from there ASAP
September 22, 2011, 03:08:10 PM
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
We managed to minimize the damage on our end though only about 1 or 2 coins were lost.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
We managed to minimize the damage on our end though only about 1 or 2 coins were lost.
Jump to: