Author

Topic: Just lost 0.05709292 BTC on Slushpool... (Read 584 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 11, 2022, 11:37:40 PM
#15
Damn man im sorry to hear that, is F2Pool the same way.  DO i need to add the F2 authenticator so that someone doesnt steal my crap?  and all they needed was a damn password and log in?  wow, okay thanks for this I am going to for sure set up this now.

It's best to pose these questions to F2Pool support - although it's highly unlikely that their web infrastructure is using similar software to Slushpool, that's really a questiononly they can answer unless there are people willing to take risks with that using their own accounts.
newbie
Activity: 1
Merit: 0
Damn man im sorry to hear that, is F2Pool the same way.  DO i need to add the F2 authenticator so that someone doesnt steal my crap?  and all they needed was a damn password and log in?  wow, okay thanks for this I am going to for sure set up this now.
newbie
Activity: 5
Merit: 13
Still, do you know the identity of the hacker, and have you even managed to successfully contact him/her before?

It is unlikely that you'll be able to establish any contact with hackers given that they don't leave any of their own email addresses for you to send mail to.
I have the email he/she tried to change the slushpool account to as well. While I suppose I could try striking a deal with him/her. I rather not encourage these attackers by letting them win any amount.

I have an idea is that the slushpool does not ask for email authentication when adding hardware U2F/2FA?

If you have a FIDO hardware device you can maybe add it to your Slushpool account and able to remove the added address there.

I search a bit and it seems that you can able to make your FIDO security with your mobile phone if you don't want to buy a hardware FIDO device.
I found two articles below that tells that you can use a mobile phone as a FIDO security key

- https://www.gotrustid.com/post/your-phone-is-now-the-alternative-to-the-usb-fido-key
- https://www.inthecloud247.com/using-your-smartphone-as-a-fido-security-with-idmelon/

Once you succeed in changing the address make sure to withdraw your Bitcoin from that account. Hope this will work.
Just tried, nope it doesn't let me add another FIDO device as it requires 2FA check with the FIDO devices the compromiser added... I guess that's why there's two of them. He/she double checked I couldn't add one as long as he/she snuck in the first.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
I have an idea is that the slushpool does not ask for email authentication when adding hardware U2F/2FA?

If you have a FIDO hardware device you can maybe add it to your Slushpool account and able to remove the added address there.

I search a bit and it seems that you can able to make your FIDO security with your mobile phone if you don't want to buy a hardware FIDO device.
I found two articles below that tells that you can use a mobile phone as a FIDO security key

- https://www.gotrustid.com/post/your-phone-is-now-the-alternative-to-the-usb-fido-key
- https://www.inthecloud247.com/using-your-smartphone-as-a-fido-security-with-idmelon/

Once you succeed in changing the address make sure to withdraw your Bitcoin from that account. Hope this will work.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I have a suggestion offer to sell the email for ⅓ of the 0.057 btc.

as it sits neither you or the hacker will see the money. It will stay locked. Maybe he takes you up on the offer  and you both get a piece of it.

You could show him this thread and let him know you don't hate him and admire his skill set.  Since his actions brought this account to your attention you would be will to let him have a reward.

Seems better than letting the .057 sit and stay frozen.
Haha, my email has far too many other accounts tied to it. On top of having emotional attachments to it.

Still, do you know the identity of the hacker, and have you even managed to successfully contact him/her before?

It is unlikely that you'll be able to establish any contact with hackers given that they don't leave any of their own email addresses for you to send mail to.
newbie
Activity: 5
Merit: 13
Ok, then i suggest you guys open a ticket with a "feature request" so that it gets in the system and they know you want this.
Will do!

I have a suggestion offer to sell the email for ⅓ of the 0.057 btc.

as it sits neither you or the hacker will see the money. It will stay locked. Maybe he takes you up on the offer  and you both get a piece of it.

You could show him this thread and let him know you don't hate him and admire his skill set.  Since his actions brought this account to your attention you would be will to let him have a reward.

Seems better than letting the .057 sit and stay frozen.
Haha, my email has far too many other accounts tied to it. On top of having emotional attachments to it.
legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
March 18, 2022, 10:39:55 AM
#9
Ping out to Artemis3 and see if he can help you or at least point you towards someone who might be able to. If not just keep pinging out to the general help people eventually someone might do something. Surprised that they don't have a confirmation email when adding 2FA, that is usually a standard thing to do.

Good luck.

-Dave
I will! Thank you!

Honestly another standard practice would be denying the login due to the new geolocation they tried logging in from. A "New sign in detected from IP XXX, please confirm" email would have prevented this entire thing from occurring.

So what you "think" becomes reality somehow?

You must prove ownership of the account. If you managed to block the payments before they stole anything, it is safe. If they had taken the money out, it would be goodbye as Bitcoin transactions are final.

Now prove it, and follow whatever instructions they ask you to do. Because any random stranger can make a claim like yours, trying to steal someone else's money just pretending they "lost their password" or got "hacked" (social engineering).
From the back and forth I had with slushpool support, the only option they propose is to get access to an extremely old wallet. Again, most likely a deposit wallet on BTCe (you know, the one that got shut down), or an old bitcoin wallet that's since been deleted over the course of 4 windows reinstalls and 2 computer upgrades. It was 8 years ago...

So, how did they got your "password" in the first place? Seems you failed to perform basic computer security practices.
Of course they ask you to sign a message with your wallet, isn't that an obvious proof of wallet ownership? What were you doing using a "custodial" (online) wallet in the first place?

Not your keys, not your money. How many years has this been repeated?
Yes yes, I understand it was my fault for not taking care of the old account. As for how the password got out, it got leaked during a data breach... a few years ago? Not sure the exact one. It was leaked in plain text too, not just hashes. I've since changed my password and enabled 2FA on all accounts I can think of, but unfortunately missed this one, cause... like I said, I forgot about this slushpool account. My bad.

Well that doesn't help things either. What makes Slush Pool recognize YOU as the legitimate owner? I wonder if your claim is even real or you are just spreading FUD.
I have access to the original email that registered the account, with the “New account confirmation” from mining.bitcoin.cz dating back to 2013. And, this may be coincidental timing, but I just received an email yesterday asking to purchase my mail box.


Duh? How about not letting your password fall in the wrong hands? You think there are no incidents where they won't exploit "email 2fa" as well? Sometimes the existence of weak "password recovery security questions" set to your email provider are precisely the vector for penetration.

Or is it that you actually need this vector to exploit it? Nice try... Yeah, some people actually need 2fa enabled to be able to penetrate...

If you want to give advise to others, start with the basics: Use your own wallet, lets repeat it until you get it:
Not your keys, not your money.

Oh and, basic password security practices, because you are putting the cart before the horse, protecting the password is more important than relying on 2fa.
The best practice is to keep all accounts using different passwords. Which is precisely why the compromiser couldn’t access my email. On slushpool, to change password, change email, change wallet, all require email confirmation. But adding 2FA FIDO (physical device, not email 2FA) apparently does not require it.

So the unknown device that accesses your account is using a Samsung device? A mobile phone?
And added a Hardware authentication?

What exactly do you see on U2F on the settings it should have the name of the hardware device. I never heard of any U2F fido that supports mobile except only one hardware device through NFC.
No, he/she linked a Samsung device. It’s apparently used to monitor the user account with a mobile app. I unlinked it without a problem.

This is what I see in the security tab:


The bad thing here is if you own that account why you didn't add 2FA authentication? That's the bad practice to protect your account and actually, that is the basic thing to do to protect your account.
And I think you won't be able to add hardware authentication without Email access unless the hacker also has access to your Email and password?
No, he does not have access to my email. Otherwise those BTC would be gone already. Also it appears the person wants to purchase my mail box (or it could be coincidental timing).

From memory the account has so little BTC, it was below the payout threshold (this was over 8 years ago), so I just forgot about it. It’s my fault for forgetting about it, but still, point of this post is to give a heads up there’s no geolocation check on login, nor email confirmation when adding 2FA FIDO (physical device).

Lets start with YES the OP fucked up.
But Slush / Braiins is also doing it wrong.

You can setup an account at Slush and never add 2FA. (OPs mistake)

If someone gets your username & password they can then add a UBIKey or other form of 2FA WITHOUT any other form of checking (i.e. an email asking if you want to do this).

In theory, if you get a hold of someones user / password but nothing else. You would not be able to withdraw, since THAT requires an email. But you could change their payout address and add a 2FA device that they do not have access to, more or less locking them out of their BTC.

Just about every other place I have used either FORCES 2FA in the beginning, or you get a verification email / text / whatever before adding the 2nd.

-Dave

Yes and that's what this post is really about. If you're using slushpool and don't have 2FA FIDO, please be sure to add one!


I have a suggestion offer to sell the email for ⅓ of the 0.057 btc.

as it sits neither you or the hacker will see the money. It will stay locked. Maybe he takes you up on the offer  and you both get a piece of it.

You could show him this thread and let him know you don't hate him and admire his skill set.  Since his actions brought this account to your attention you would be will to let him have a reward.

Seems better than letting the .057 sit and stay frozen.
legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
March 18, 2022, 10:17:58 AM
#8
Ok, then i suggest you guys open a ticket with a "feature request" so that it gets in the system and they know you want this.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
March 18, 2022, 10:06:44 AM
#7
Side note but it is something I posted about 1 year ago. Never delete old wallets if possible:
https://bitcointalksearch.org/topic/psa-never-delete-your-old-wallets-or-keys-5325660
Probably deserves a bump to bring it back to where people can see and talk about it again.

-Dave
newbie
Activity: 5
Merit: 13
March 18, 2022, 09:15:03 AM
#6
Ping out to Artemis3 and see if he can help you or at least point you towards someone who might be able to. If not just keep pinging out to the general help people eventually someone might do something. Surprised that they don't have a confirmation email when adding 2FA, that is usually a standard thing to do.

Good luck.

-Dave
I will! Thank you!

Honestly another standard practice would be denying the login due to the new geolocation they tried logging in from. A "New sign in detected from IP XXX, please confirm" email would have prevented this entire thing from occurring.

So what you "think" becomes reality somehow?

You must prove ownership of the account. If you managed to block the payments before they stole anything, it is safe. If they had taken the money out, it would be goodbye as Bitcoin transactions are final.

Now prove it, and follow whatever instructions they ask you to do. Because any random stranger can make a claim like yours, trying to steal someone else's money just pretending they "lost their password" or got "hacked" (social engineering).
From the back and forth I had with slushpool support, the only option they propose is to get access to an extremely old wallet. Again, most likely a deposit wallet on BTCe (you know, the one that got shut down), or an old bitcoin wallet that's since been deleted over the course of 4 windows reinstalls and 2 computer upgrades. It was 8 years ago...

So, how did they got your "password" in the first place? Seems you failed to perform basic computer security practices.
Of course they ask you to sign a message with your wallet, isn't that an obvious proof of wallet ownership? What were you doing using a "custodial" (online) wallet in the first place?

Not your keys, not your money. How many years has this been repeated?
Yes yes, I understand it was my fault for not taking care of the old account. As for how the password got out, it got leaked during a data breach... a few years ago? Not sure the exact one. It was leaked in plain text too, not just hashes. I've since changed my password and enabled 2FA on all accounts I can think of, but unfortunately missed this one, cause... like I said, I forgot about this slushpool account. My bad.

Well that doesn't help things either. What makes Slush Pool recognize YOU as the legitimate owner? I wonder if your claim is even real or you are just spreading FUD.
I have access to the original email that registered the account, with the “New account confirmation” from mining.bitcoin.cz dating back to 2013. And, this may be coincidental timing, but I just received an email yesterday asking to purchase my mail box.
https://i.imgur.com/STi5E9B.png

Duh? How about not letting your password fall in the wrong hands? You think there are no incidents where they won't exploit "email 2fa" as well? Sometimes the existence of weak "password recovery security questions" set to your email provider are precisely the vector for penetration.

Or is it that you actually need this vector to exploit it? Nice try... Yeah, some people actually need 2fa enabled to be able to penetrate...

If you want to give advise to others, start with the basics: Use your own wallet, lets repeat it until you get it:
Not your keys, not your money.

Oh and, basic password security practices, because you are putting the cart before the horse, protecting the password is more important than relying on 2fa.
The best practice is to keep all accounts using different passwords. Which is precisely why the compromiser couldn’t access my email. On slushpool, to change password, change email, change wallet, all require email confirmation. But adding 2FA FIDO (physical device, not email 2FA) apparently does not require it.

So the unknown device that accesses your account is using a Samsung device? A mobile phone?
And added a Hardware authentication?

What exactly do you see on U2F on the settings it should have the name of the hardware device. I never heard of any U2F fido that supports mobile except only one hardware device through NFC.
No, he/she linked a Samsung device. It’s apparently used to monitor the user account with a mobile app. I unlinked it without a problem.

This is what I see in the security tab:
https://i.imgur.com/IyumBAy.png

The bad thing here is if you own that account why you didn't add 2FA authentication? That's the bad practice to protect your account and actually, that is the basic thing to do to protect your account.
And I think you won't be able to add hardware authentication without Email access unless the hacker also has access to your Email and password?
No, he does not have access to my email. Otherwise those BTC would be gone already. Also it appears the person wants to purchase my mail box (or it could be coincidental timing).

From memory the account has so little BTC, it was below the payout threshold (this was over 8 years ago), so I just forgot about it. It’s my fault for forgetting about it, but still, point of this post is to give a heads up there’s no geolocation check on login, nor email confirmation when adding 2FA FIDO (physical device).

Lets start with YES the OP fucked up.
But Slush / Braiins is also doing it wrong.

You can setup an account at Slush and never add 2FA. (OPs mistake)

If someone gets your username & password they can then add a UBIKey or other form of 2FA WITHOUT any other form of checking (i.e. an email asking if you want to do this).

In theory, if you get a hold of someones user / password but nothing else. You would not be able to withdraw, since THAT requires an email. But you could change their payout address and add a 2FA device that they do not have access to, more or less locking them out of their BTC.

Just about every other place I have used either FORCES 2FA in the beginning, or you get a verification email / text / whatever before adding the 2nd.

-Dave

Yes and that's what this post is really about. If you're using slushpool and don't have 2FA FIDO, please be sure to add one!
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
March 18, 2022, 08:29:06 AM
#5
Lets start with YES the OP fucked up.
But Slush / Braiins is also doing it wrong.

You can setup an account at Slush and never add 2FA. (OPs mistake)

If someone gets your username & password they can then add a UBIKey or other form of 2FA WITHOUT any other form of checking (i.e. an email asking if you want to do this).

In theory, if you get a hold of someones user / password but nothing else. You would not be able to withdraw, since THAT requires an email. But you could change their payout address and add a 2FA device that they do not have access to, more or less locking them out of their BTC.

Just about every other place I have used either FORCES 2FA in the beginning, or you get a verification email / text / whatever before adding the 2nd.

-Dave
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
March 17, 2022, 05:47:52 PM
#4
So the unknown device that accesses your account is using a Samsung device? A mobile phone?
And added a Hardware authentication?

What exactly do you see on U2F on the settings it should have the name of the hardware device. I never heard of any U2F fido that supports mobile except only one hardware device through NFC.

The bad thing here is if you own that account why you didn't add 2FA authentication? That's the bad practice to protect your account and actually, that is the basic thing to do to protect your account.
And I think you won't be able to add hardware authentication without Email access unless the hacker also has access to your Email and password?

I think no one here can help you better bring your issue directly with slushpool support [email protected] or contact us.
legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
March 17, 2022, 11:07:52 AM
#3
Ping out to Artemis3 https://bitcointalksearch.org/user/artemis3-980501 and see if he can help you or at least point you towards someone who might be able to. If not just keep pinging out to the general help people eventually someone might do something. Surprised that they don't have a confirmation email when adding 2FA, that is usually a standard thing to do

These things are handled at the pool by opening a support ticket from the help section, which the OP has already done apparently and looks unsatisfied or unable to comply with the proof of ownership the pool for very good reasons (explained above) is asking for. Also I am not pool support, just Braiins OS so please don't ping me on those...
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
March 17, 2022, 10:56:17 AM
#2
Ping out to Artemis3 https://bitcointalksearch.org/user/artemis3-980501 and see if he can help you or at least point you towards someone who might be able to. If not just keep pinging out to the general help people eventually someone might do something. Surprised that they don't have a confirmation email when adding 2FA, that is usually a standard thing to do.

Good luck.

-Dave
newbie
Activity: 5
Merit: 13
March 16, 2022, 10:40:23 AM
#1
Hey all! Had a very old account that to be fair I forgot about. Someone managed to get ahold of my password and accessed it.

He/She tried changing my email and wallet address which prompted requests emails to me. I quickly changed my password and tried to undo any change he/she did, this included:
-Changing language to...russian?
-Linking a samsung device
-Adding two 2FA FIDO devices
-Changing a wallet address to presumably his/hers.

I managed to undo the first two, but could not remove the 2FA FIDO without having access to the 2FA FIDO. I couldn't revert the wallet address either due to the 2FA lock.

Interestingly even though the wallet address is now his/hers, the payout is locked as the person does not have my access to my email (to confirm the payout rule change request)

I've talked to the slushpool support team and unfortunately he could not remove the 2FA locks as he couldn't verify my identity. He wants me to sign a message with a wallet signature on a wallet that I no longer have access to. From memory this wallet was a deposit wallet on BTC-e which shutdown a long time ago.

So now these coins are forever frozen it seems. So PSA to anyone using slushpool, 2FA FIDO can be added as long as someone accesses your account with a password. No email confirmation required. You best add one first before someone else does.
Jump to: