**OFFICIAL? - My BTC-e Account Got Hacked and All Funds Stolen thread - page 2.

TimJBenham

sr. member

Activity: 280

Merit: 250

Quote from: TsuyokuNaritai on April 20, 2013, 10:18:35 PM

Quote from: TimJBenham on April 20, 2013, 09:34:43 PM

Quote from: phr0stbyt3 on April 20, 2013, 06:30:58 PM

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?

That would suck. What if you don't have access to the old email address? (changed ISP, job, whatever).

TsuyokuNaritai

hero member

Activity: 574

Merit: 500

Quote from: TimJBenham on April 20, 2013, 09:34:43 PM

Quote from: phr0stbyt3 on April 20, 2013, 06:30:58 PM

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?

TimJBenham

sr. member

Activity: 280

Merit: 250

Quote from: phr0stbyt3 on April 20, 2013, 06:30:58 PM

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

phr0stbyt3

hero member

Activity: 672

Merit: 500

Quote from: mr_random on April 20, 2013, 04:17:07 PM

Quote from: phr0stbyt3 on April 20, 2013, 03:05:51 PM

Quote from: mr_random on April 20, 2013, 01:50:17 PM

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

Withdraw on email, in this case, is a moot point. The attacker was able to compromise my account, change my password and then change the email address on the account as demonstrated by not being able to reset my password until talking to support 24 hours later.

Withdraw on email does nothing if you can just change the email address.

mr_random

legendary

Activity: 1344

Merit: 1001

Quote from: phr0stbyt3 on April 20, 2013, 03:05:51 PM

Quote from: mr_random on April 20, 2013, 01:50:17 PM

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

phr0stbyt3

hero member

Activity: 672

Merit: 500

Quote from: mr_random on April 20, 2013, 01:50:17 PM

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

mr_random

legendary

Activity: 1344

Merit: 1001

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

joesmoe2012

hero member

Activity: 882

Merit: 501

Ching-Chang;Ding-Dong

This hap

Quote from: tigerfree on April 20, 2013, 08:01:20 AM

i just lost 3.3 btc FUCK BTC-e there db is leaked

More info please. You posted this very vague sentence in a couple of BTC-e threads, please substantiate a bit.

crazy_rabbit

legendary

Activity: 1204

Merit: 1002

RUM AND CARROTS: A PIRATE LIFE FOR ME

Quote from: tigerfree on April 20, 2013, 08:01:20 AM

i just lost 3.3 btc FUCK BTC-e there db is leaked

just now?

tigerfree

legendary

Activity: 1015

Merit: 1000

i just lost 3.3 btc FUCK BTC-e there db is leaked

joesmoe2012

hero member

Activity: 882

Merit: 501

Ching-Chang;Ding-Dong

Just enabled email confirm on withdraws thanks for te heads up guys.

Pingonious

newbie

Activity: 24

Merit: 0

Quote from: ZephramC on April 19, 2013, 04:05:31 PM

First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e. Embarrassed

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.

I have been waiting a few days for a new reply from them.

ZephramC

sr. member

Activity: 475

Merit: 255

First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e. Embarrassed

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.

Pingonious

newbie

Activity: 24

Merit: 0

I was hacked as well on 4/17. Has anyone had any luck with BTC-e support on the issue?

crazy_rabbit

legendary

Activity: 1204

Merit: 1002

RUM AND CARROTS: A PIRATE LIFE FOR ME

Quote from: Unclegogi on April 18, 2013, 04:50:04 AM

This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.

Did you check the alt-forum thread about the TRC fork? Maybe your TRC wasn't really ever "real" in the first place. You might have bought fake TRC.

Unclegogi

newbie

Activity: 44

Merit: 0

This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.

ryantc

sr. member

Activity: 329

Merit: 250

Bitcoin may be the TCP/IP of money.

for the record, just lost about 30 TRC from my account,

so change all coins to BTC and transfer to mtgox (safer? maybe?)

never store a penny in that exchange wallet, ever again.

jargoman

member

Activity: 68

Merit: 10

Quote from: bradmurmz on April 16, 2013, 02:50:10 PM

Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.

That code was found on my computer. It may be created by twitter but I believe someone is using it as a xss attack. The line b=/^key/,c=["click","keydown","keypress","keyup"] suggests it's a key logger (maybe I am wrong). I'm thinking the attack goes like this. attacker posts a malicious link, it attampts to launch a java 0day to install a backdoor trojan. If that doesn't succeed it drops a phishing page outside the javascript sandbox probably by using the java 0day. Then the victim may then be tricked into clicking the locally dropped file which would run out side the sandbox. Then the attacker would ddos btce or use some other exploit to cause the user to become logged out. When the user quickly logs back in the attacker has the javascript running in another tab listening to windowing events outside the sand box and successfully retrieving their password.

Either a, there are multiple attackers using different methods, or there is a modern toolkit that is at work here.

bradmurmz

full member

Activity: 205

Merit: 100

Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.

jargoman

member

Activity: 68

Merit: 10

I found this piece of javascript in an html file that mysteriously appeared on my computer after clicking a trollbox link. I still have my coins but do believe someone hacked or attempted to hack me. It seems that multiple exploits are being used. Can someone confirm my suspicion that this is malicious javascript?

Code:

Topic: **OFFICIAL? - My BTC-e Account Got Hacked and All Funds Stolen thread - page 2. (Read 20533 times)