Author

Topic: Nicehash security issue lost me 0.22 btc, they refuse to compensate (Read 2247 times)

legendary
Activity: 1848
Merit: 1001
i never had a problem with nicehash (never used them)

mine was with btc-e, knc, avalon, bitmain, spondoolies & another asic 'seller' whos name slips my mind right now. cointerra

continue to assault their public pages (facebook/twitter/anything) you may get a good result, the key is never giving up.

they think they can outlast you, but daily bad publicity is not worth it for them to ignore.

use big red letters...
legendary
Activity: 1470
Merit: 1024
I havent, they didnt even apologize. Did u get ur money back?
legendary
Activity: 1848
Merit: 1001
did you ever get anywhere with this?

i had similar experiences with various entities.

hound them on every possible front in huge 72 point red font.

do it everyday without fail until they buckle.


legendary
Activity: 1470
Merit: 1024
you did everything correctly by reporting it when the loss that was your fault was only 0.02 btc. they basically admitted they screwed up and cost you the rest of the 0.22. it boggles the mind that nicehash would take this kind of hit to their credibility over a couple hundred bucks.

i have an account there but now ill only use it only as a last resort.

Thanks for your support. As you can see they accept they are wrong but wouldn't take responsibility. Please help my cause and get this public. Undecided
legendary
Activity: 1470
Merit: 1024

If 2FA would be enabled from the begging, this would not happen and no funds would be lost.

Regarding the particular issue with changing passwords and still active open concurrent sessions. There was indeed a particular specific issue in this case and we've already added additional layer of protection to make sure this kind of scenarios would not happen again. Nevertheless, once again we have to say that even with this exceptions nobody could do any harm to your account if you would enable 2FA right after you registered your account or before you started dealing with funds on your account.



Best regards,
NiceHash team.

So you accept that your website's code was faulty, in other words poor and it kept the hacker in even though I took immediate precautions.

I'm not blaming you for my hacked account. I am blaming you for the fact that even though I did the neccasary steps, hacker was still logged in. Thats why I take responsbility for the first 0.02 that I lost.

How can you also explain that even though Ive resetted my 2FA, hacker was able to put orders?

I started to think that you are working with these Russian hackers.

I'll let everyone know how a insecure service you have.
legendary
Activity: 885
Merit: 1006
NiceHash.com
Hello,

First of all we would like to say that security and user satisfaction is of course very important to us. We are working very hard to provide an excellent service for hundreds thousands of users and we are doing this job for several years.
 
In this particular case the accusations and complaints from user olcaytu2005 are over reacted and also false. You all know that 2FA protection is standard and essential when dealing with funds. Also protecting your account with proper passwords and making sure your password is changed over a particular period of time adds additional level of security to your account. olcaytu2005 hasn't followed these standard practices and this is why his account got hacked and funds were lost.

If 2FA would be enabled from the begging, this would not happen and no funds would be lost.

Regarding the particular issue with changing passwords and still active open concurrent sessions. There was indeed a particular specific issue in this case and we've already added additional layer of protection to make sure this kind of scenarios would not happen again. Nevertheless, once again we have to say that even with this exceptions nobody could do any harm to your account if you would enable 2FA right after you registered your account or before you started dealing with funds on your account.

It is also very important to note that our system was not compromised or hacked. It was just the user's account by someone stealing/guessing his login credentials from his personal computer or other sources.

As far as refunds are concerned - any business or institution that has to do anything with financial transactions clearly states no refunds on any kind of financial loss. No matter who's fault is it in the end - this is also clear from our Terms of use, available on our website. Since we care a lot for our users satisfaction we have still done some refunds and compensations in the past for various kind of issues that were an actual result of service issues - for example, order was charged but not placed properly due to system overload, etc.. But we will never do any refunds due to user's faults. If we would do this then anybody could say that he needs some kind of refunds for thousands of possible issues you can make up.

Therefore - once again - olcaytu2005, we are very sorry for the funds you've lost and understand your situation, but unfortunately a refund in this case is not possible since you didn't follow standard security practices such as enabling 2FA before doing any kind of operations with funds. Thank you for understanding.


Best regards,
NiceHash team.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
you did everything correctly by reporting it when the loss that was your fault was only 0.02 btc. they basically admitted they screwed up and cost you the rest of the 0.22. it boggles the mind that nicehash would take this kind of hit to their credibility over a couple hundred bucks.

i have an account there but now ill only use it only as a last resort.
hero member
Activity: 854
Merit: 500

This is clearly a nicehash security fault. You got my support.
twn
legendary
Activity: 1204
Merit: 1011
Definetly they need to pay back your lost. As i can understand u hacked but its because of nicehash not ur mistake
legendary
Activity: 1470
Merit: 1024
Thanks for your support guys. They are ignoring me and my mails. I'll do my best to make this public as much as possible. People have hundreds of btcs there, some people I know. I already told them to withdraw. They don't even have a ticket system and you have to actually wait for the email to arrive...

I have also archieved their ToS and the reddit post. Thanks for suggestions.

Also, please help with the negative trust so people can see. I'm probably not on the default trust.

https://bitcointalksearch.org/user/nicehashsupport-489754
sr. member
Activity: 266
Merit: 250
Invulner
They can't even say that they tried to make their security good... Interface is shit and so is their website security so it seems from your case. The best thing to do right now is to give this thing as much publicity as possible and see if Nicehash and step up and defend its reputation and provide you with a refund. Either way, good luck to you man. Hope you get your money back.
hero member
Activity: 756
Merit: 503
Crypto.games
Yeah well, they better not cite some obscure/buried/(edited?) section of their TOS and say all users have agreed that they won't be held accountable for any software/hardware flaw or error. That's how shady sites usually operates.

Maybe you'd better archive a copy of their TOS, who knows, they might surprise us with alterations/edits in the end.

Another thing is, how the hell can they take operating like this. The heck?!

legendary
Activity: 910
Merit: 1009
like many shitty crypto "companies" they play fast and loose with security. im sure they will pay to silence you later if there is enough backlash but who knows if they ever fix their site. these problems are probably only the top of the iceberg

i archived that reddit page for you if that support staffer decides to delete the post: http://archive.is/58Af1
legendary
Activity: 1470
Merit: 1024
Omg that's pretty unbelievable that they didn't even log the hackers out. That is really really retro. My MSN Messenger even did that haha. I completely agree that it's their fault once you changed your password (and probably before too but who knows).

Thanks for your support. People are throwing hundreds of BTC there and they should know they are not safe.
legendary
Activity: 966
Merit: 1042
Omg that's pretty unbelievable that they didn't even log the hackers out. That is really really retro. My MSN Messenger even did that haha. I completely agree that it's their fault once you changed your password (and probably before too but who knows).
legendary
Activity: 1470
Merit: 1024
Here is what happened for those who wants to read:

So here is the deal, I was renting hash for Zcash and Zclassic for the past couple of days. I had 0.24 btc left in my account. Today I decided to check my account and saw that there was an open order that wasn't by me.
The hacker put a 2fa code, WHICH CAN'T BE DONE WITH EMAIL CONFIRMATION ANY WHERE IN THE WORLD EXCEPT THE POORLY CODED NICEHASH INTERFACE, and I was unable to withdraw my btc immidietly. I changed my password from a fresh computer due to the risk of having a keylogger on my computer.
GUESS WHAT?! Poorly coded nicehash website didn't force previously logged in people to logout after a password reset. What a joke?! Is this 2001 dial up internet years all over again?
So, while I thought I was safe because I changed my password and the regular website behaviour is to force everyone else out that is logged in with previous password. I went to bed. Woke up to see if nicehash responded my email.
They asked me to send certain amount of btc to my deposit address to verify its actually me. And I did. Than wanted check if my deposit was in wallet page.
I noticed my 0.22 was fully gone. Poorly coded nicehash website didn't force previously logged in hacker, neither did the support blocked his IP even though they have been INFORMED that it was a hacker.
I request a refund of my hardly earned 0.22 BTC. I accept that the first hack was my responsibility but the rest security leaks was caused by nicehash's poor coding.

Can you explain why there are no simple basic protections:

1. When password is changed, site must force all logged in users out. SIMPLEST RULE.
2. When someone wants to set a 2FA, an email verification should be needed. SIMPLEST RULE #2.
3. I deactivated hacker's 2FA with your code and created my own 2FA, but hacker WAS ABLE TO RENT HASH SOMEHOW. HOW CAN THIS BE IF THERE ARE NO SECURITY BREACHES?
4. I opened a withdrawel request, he could have cancelled and battled me again by putting orders, but he didn't, or more importantly HE COUDLN'T.
5. I informed nicehash of the hack when only 0.02 was gone, they didn't LOCK THE ACCOUNT. Every other exchange or renting service out there locks the account immidietly.
6. Why nicehash doesn't have basic protection safe guard to protect their costumer's funds?

So basically you are lying infront of everyone reading. HACKER WAS ABLE TO PUT AN ORDER EVEN WHEN I RESETTED 2FA AND PUT IN ON MY PHONE. You are either working with the hackers and hoping no one will notice or be loud enough or you just don't care about your costumer's funds.

I SPOTTED HACK WITH A MINIMAL LOSE, ONLY 0.02. AND THATS ON ME, MY RESPONSBILITY. BUT THAN I CHANGED MY PASSWORD AND EMAILED TO YOU IMMIDIETLY. After that, IT IS YOUR RESPONSIBILITY.

You are no different than those "hacker Russians" if you keep on insisting that your faulty, poorly coded weak system just helps HACKERS STEAL THE FUNDS. There is even no IP notification.

I demand a compensation of my stolen funds THAT ARE CAUSED BY YOUR FAULTS and you to accept responsbility and correct your site's mistake. I will not stop following this and will be informing everyone, everywhere. You can't get away with this.

Basically, I felt safe after I changed my password and lost the remaining btc.

Niki on nicehash confirmed there was an issue with their security:


https://www.reddit.com/r/NiceHash/comments/5cb1a4/nicehash_made_me_lose_022_btc_i_ask_for_a_refund/d9w3f2f/



Jump to: