**OFFICIAL? - My BTC-e Account Got Hacked and All Funds Stolen thread - page 4.

moni3z

hero member

Activity: 899

Merit: 1002

Quote from: bradmurmz on April 13, 2013, 12:29:57 AM

Quote from: moni3z on April 11, 2013, 04:24:44 PM

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked

I think what your trying to describe is an XSS ( Cross Server Scripting ) attack that steals your cookies. I'm not sure how "your passwords all kept in browser are leaked"... that's just not possible on any modern browser I am aware of.

This XSS attack is possible if there was a bug in btc-e's site that allowed for code to be injected into the page through a GET request, but probably not the case as many of us who's accounts were hacked never clicked any links in the "trollbox". As far as botnets and virus and java exploits, many of us also run linux which is the most secure desktop available and also chrome which does not allow java to be ran without a confirmation first!

java zero day. Chrome://Plugins then disable any Java plug-ins. this is different than javascript. Linux is not immune.
has anybody tested if you can create API key, then withdraw with it? probably no email confirmation.

bradmurmz

full member

Activity: 205

Merit: 100

Has anyone here who's account was hacked had any resolution to the situation?? Has support even said more than a few sentences to you and answered any of your questions??

bradmurmz

full member

Activity: 205

Merit: 100

Quote from: moni3z on April 11, 2013, 04:24:44 PM

you guys, antichat.ru hackers and fraudsters are constantly posting links in the trollbox to get you to click them. when you do your passwords all kept in browser are leaked

I think what your trying to describe is an XSS ( Cross Server Scripting ) attack that steals your cookies. I'm not sure how "your passwords all kept in browser are leaked"... that's just not possible on any modern browser I am aware of.

This XSS attack is possible if there was a bug in btc-e's site that allowed for code to be injected into the page through a GET request, but probably not the case as many of us who's accounts were hacked never clicked any links in the "trollbox". As far as botnets and virus and java exploits, many of us also run linux which is the most secure desktop available and also chrome which does not allow java to be ran without a confirmation first!

bradmurmz

full member

Activity: 205

Merit: 100

Quote from: btc-e.com on April 11, 2013, 04:58:07 PM

https://btc-e.com/news/131

unctional confirmation of the withdrawal through the mail.

To use a functional need to confirm email - https://btc-e.com/profile#edit/home
Activate protection - https://btc-e.com/profile#edit/security
After that, each withdrawal you will come to notice in the mail.
Today will be translated into English.

For complete safety, use different passwords on the stock exchange and mail, as well as recommend the use of e-mail gmail.com with two-factor authentication.

You're seriously still blaming us for this?

How does it matter if "after each withdrawl we get a notice in the mail" if they hack your database with an SQL injection attack and change our email directly in the database, and then seconds later login to our account and clear out the funds before support can even answer an email...

@btc-e.com, I will help you find and fix the exploit if you want. Just pay me back for what is the fault of btc-e.com and I will be more than happy to help you for free.

bradmurmz

full member

Activity: 205

Merit: 100

Quote

Or btc-e stole the coins. Im sorry this happened to you. But what can you do? what is the owners name? where is the server? is there a business address? Are they licensed? Can you call the police and Russia and tell them what?

With the way they are treating us... This is starting to sound more and more like a possibility!

There are many things I can do.. I can reach out to various media sources and tell them our story. I've written a press release explaining that it either has to be an SQL injection attack, or inside job stating my reasons above. If they just leave us all hanging with no responses, I think the later would appear to make the most sense.

Next I use my SEO dayjob skills to make sure that those articles come up #1 for btc-e search term so that everyone knows to be aware. I also make sure this forum and other posts come up first page for that search term as well.

Personally I would just rather have someone over there tell we what the hell is going on and why they are barely responding to someone who just lost nearly 40k (at the time) and apparently treating us all as though we don't matter. I would rather just get my coins back and let everyone here know that I had been done right by them and that they are trustworthy.

The amount of money it would cost to refund us would be made up quickly in added business they would receive from gaining the communities trust back.

Smoovious

hero member

Activity: 504

Merit: 500

Scattering my bits around the net since 1980

Quote from: TimJBenham on April 12, 2013, 07:48:45 PM

I never trust an exchange that charges a percentage fee to deposit.

Which exchanges do that?

-- Smoov

laughingbear

hero member

Activity: 622

Merit: 500

www.cryptobetfair.com

Quote from: bradmurmz on April 12, 2013, 09:19:02 PM

This was not an XSS attack!! Angry

This was obviously a simple SQL injection attack. If it was XSS how would they change the email without a verification email being sent. According to btc-e changing the email has always required a verification email to the previous address first!

All the attacker has done is found an SQL injection exploit which they use like so "UPDATE users SET email='[email protected]' WHERE username='theuser'"

Then they simply reset the password on the account and log in wiping out funds.

This was not the fault of any of us.... I've had 200BTC stolen and I'm still waiting on support to get back to me. I've gotten only two emails so far with a few words in each one. I really wish they would understand how I feel right now and would at least give me some reassurance that they plan on taking care of me. I really like btc-e exchange but at the moment am very upset with the level of professionalism of support!!

Or btc-e stole the coins. Im sorry this happened to you. But what can you do? what is the owners name? where is the server? is there a business address? Are they licensed? Can you call the police and Russia and tell them what?

bradmurmz

full member

Activity: 205

Merit: 100

This was not an XSS attack!! Angry

This was obviously a simple SQL injection attack. If it was XSS how would they change the email without a verification email being sent. According to btc-e changing the email has always required a verification email to the previous address first!

All the attacker has done is found an SQL injection exploit which they use like so "UPDATE users SET email='[email protected]' WHERE username='theuser'"

Then they simply reset the password on the account and log in wiping out funds.

This was not the fault of any of us.... I've had 200BTC stolen and I'm still waiting on support to get back to me. I've gotten only two emails so far with a few words in each one. I really wish they would understand how I feel right now and would at least give me some reassurance that they plan on taking care of me. I really like btc-e exchange but at the moment am very upset with the level of professionalism of support!!

TimJBenham

sr. member

Activity: 280

Merit: 250

I never trust an exchange that charges a percentage fee to deposit.

doobadoo

sr. member

Activity: 364

Merit: 250

Quote from: moni3z on April 11, 2013, 04:24:44 PM

...
- install noscript and enable it only for certain sites you trust /
-
- profit

^ THIS ^ And to be more precise, you install no script (Firefox plugin) and make sure its set "Forbid Scripts Globally." Then when you hit a site, choose to allow the javascripts which have addresses you can recognize as safe. Go into Tools --> Addons and disable the Java plugin. Might want to disable adobe flash too, but if you don't check to see you have most recent version. Also check that you have most recent Firefox version.

For you browsing other sites, run that in Chrome. Only have your exchange tabs open in Firefox.

If you use a blockchain.info wallet access the link in private browsing mode. Don't bookmark the link either, drag the link to your desktop from the url bar. Rename the file something inconspicuous. Back that file up! Then load it by dragging it back to the URL bar. Never copy and paste your secret online wallet link. I think that defeats the malware that might look thru your browsing history and bookmarks and clipboard.

Transisto

donator

Activity: 1731

Merit: 1008

I don't know how am I supposed to remember the email account used ?

BTC-e never sent me any email, I had enabled email on widthrawal so maybe I should at least had gotten a notif to reconfirm it.

jimmy3dita

hero member

Activity: 588

Merit: 500

Add me to the list, fortunately my account was almost empty and -afaik- I haven't opened nothing that can lead to an injection or something similar.

Brute force maybe? My BTC pass -I've to admin- was simple.

By the way:
- email changed
- email not present in the database when recovering pass
- trying to register again "login already exist"

Reminds me of something happened with iTunes three years ago, again with no damage (prepaid cc).

Oh I forgot to mention that I've sent an email today, but no answer yet. It's ok if they also delete the account so I can register again with the same username (yet not with the same pass Cheesy

)

phr0stbyt3

hero member

Activity: 672

Merit: 500

I'm still waiting for an official statement from BTC-e about the account breaches.
Anyone who has used them in the last 2 weeks will notice the SWEEPING changes they have made in a very small amount of time.

Username -> email login
Email support -> ticket support -> email support again

Also, sending an email confirmation to change the email address on your account is now in place. Good news for the future, but doesn't address how my email address was changed when my coins were taken.

I have formally email support asking for reimbursement of stolen coins. Waiting to hear back.

z12

member

Activity: 63

Merit: 10

I think they are doing withdrawals manually even though the system marks the withdrawal as 'sent'. Wait and they'll arrive.

I still didn't get my access to my account back, Not even a word from support, let alone a refund Angry

I guess this thread is getting ready to be moved on scam accusations section.

pekv2

hero member

Activity: 770

Merit: 502

Quote from: kingcrimson on April 11, 2013, 09:34:26 PM

I withdrew bitcoins from btc-e to my wallet yesterday afternoon, and it never arrived. It doesn't even show up on the blockchain. I don't know wtf happened or whose end the problem arrived.

I guess if the withdraw fee's isn't deterring people from withdrawing, btc-e is now using another way so you can't withdraw.

WOW.

Shit just keeps going balls deeper.

kingcrimson

legendary

Activity: 1025

Merit: 1000

I withdrew bitcoins from btc-e to my wallet yesterday afternoon, and it never arrived. It doesn't even show up on the blockchain. I don't know wtf happened or whose end the problem arrived.

ZephramC

sr. member

Activity: 475

Merit: 255

Well. Three days ago my LTC withdrawal was delayed by several hours. Later I got an answer from BTC-e that it was due to DDoS attack. Withdrawal made just several minutes ago completed successfully.

Bit_Happy

legendary

Activity: 2114

Merit: 1040

A Great Time to Start Something!

I just got the unexpected logout, and would like to know if there is hope of a fast fix?

samson

legendary

Activity: 2097

Merit: 1070

This exchange as rogue they should get a scammer tag for this.

They also massively manipulate every currency traded.

phr0stbyt3

hero member

Activity: 672

Merit: 500

Quote from: moni3z on April 11, 2013, 04:24:44 PM

if you clicked trollbox links you owned yourself there's nothing they can do. there's a guy in trollbox right now pasting in exploit links inside imgur pics

Disallow clickable links in chat for starters.

Quote from: btc-e.com on April 11, 2013, 04:58:07 PM

https://btc-e.com/news/131

unctional confirmation of the withdrawal through the mail.

To use a functional need to confirm email - https://btc-e.com/profile#edit/home
Activate protection - https://btc-e.com/profile#edit/security
After that, each withdrawal you will come to notice in the mail.
Today will be translated into English.

For complete safety, use different passwords on the stock exchange and mail, as well as recommend the use of e-mail gmail.com with two-factor authentication.

I've been using 2fa with gmail ever since my girlfriend accidentally changed my password.

I already responded to this in another thread actually:

I had already done those steps.
My passwords are different and very, very strong. How was my email address able to be changed in my account?
I noticed that when you try to change your email on the account you now get a confirmation email, has this -ALWAYS- been the case?
I did not get anything saying my email address had been changed after my account was breached, so I'm a little puzzled.

Topic: **OFFICIAL? - My BTC-e Account Got Hacked and All Funds Stolen thread - page 4. (Read 20533 times)