Pages:
Author

Topic: **OFFICIAL? - My BTC-e Account Got Hacked and All Funds Stolen thread - page 2. (Read 20545 times)

sr. member
Activity: 280
Merit: 250
Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?

That would suck. What if you don't have access to the old email address? (changed ISP, job, whatever).
hero member
Activity: 574
Merit: 500
Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?
sr. member
Activity: 280
Merit: 250
Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.
hero member
Activity: 672
Merit: 500
Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.



Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

Withdraw on email, in this case, is a moot point. The attacker was able to compromise my account, change my password and then change the email address on the account as demonstrated by not being able to reset my password until talking to support 24 hours later.

Withdraw on email does nothing if you can just change the email address.
legendary
Activity: 1344
Merit: 1001
Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.



Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.
hero member
Activity: 672
Merit: 500
Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

legendary
Activity: 1344
Merit: 1001
Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.
hero member
Activity: 882
Merit: 501
Ching-Chang;Ding-Dong
This hap
i just lost 3.3 btc FUCK BTC-e there db is leaked

More info please. You posted this very vague sentence in a couple of BTC-e threads, please substantiate a bit.
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
i just lost 3.3 btc FUCK BTC-e there db is leaked

just now?
legendary
Activity: 1015
Merit: 1000
i just lost 3.3 btc FUCK BTC-e there db is leaked
hero member
Activity: 882
Merit: 501
Ching-Chang;Ding-Dong
Just enabled email confirm on withdraws thanks for te heads up guys.
newbie
Activity: 24
Merit: 0
First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e. Embarrassed

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.


I have been waiting a few days for a new reply from them.
sr. member
Activity: 475
Merit: 255
First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e. Embarrassed

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.
newbie
Activity: 24
Merit: 0
I was hacked as well on 4/17. Has anyone had any luck with BTC-e support on the issue?
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.

Did you check the alt-forum thread about the TRC fork? Maybe your TRC wasn't really ever "real" in the first place. You might have bought fake TRC.
newbie
Activity: 44
Merit: 0
This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.
sr. member
Activity: 329
Merit: 250
Bitcoin may be the TCP/IP of money.
for the record, just lost about 30 TRC from my account,

so change all coins to BTC and transfer to mtgox (safer? maybe?)

never store a penny in that exchange wallet, ever again.
member
Activity: 68
Merit: 10
Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.

That code was found on my computer. It may be created by twitter but I believe someone is using it as a xss attack. The line b=/^key/,c=["click","keydown","keypress","keyup"]  suggests it's a key logger (maybe I am wrong). I'm thinking the attack goes like this. attacker posts a malicious link, it attampts to launch a java 0day to install a backdoor trojan. If that doesn't succeed it drops a phishing page outside the javascript sandbox probably by using the java 0day. Then the victim may then be tricked into clicking the locally dropped file which would run out side the sandbox. Then the attacker would ddos btce or use some other exploit to cause the user to become logged out. When the user quickly logs back in the attacker has the javascript running in another tab listening to windowing events outside the sand box and successfully retrieving their password.

Either a, there are multiple attackers using different methods, or there is a modern toolkit that is at work here.
full member
Activity: 205
Merit: 100
Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.
member
Activity: 68
Merit: 10
I found this piece of javascript in an html file that mysteriously appeared on my computer after clicking a trollbox link. I still have my coins but do believe someone hacked or attempted to hack me. It seems that multiple exploits are being used. Can someone confirm my suspicion that this is malicious javascript?

Code:

 
       

Pages:
Jump to: