I wonder if someone from staff can clarify this.
The situationRecently one of our Legendarys was hacked. He
created a thread describing what happened (I adduce the translation from Russian below):
Got 2 messages:
- the link to reset my allegedly 'forgotten' password:
Dear Vadi2323,
This mail was sent because the 'forgot password' function has been applied to your account. To set a new password click the following link:
IP: 173.224.120.147
Username: Vadi2323
Regards,
The Bitcoin Forum Team.
- after that - the letter about password change turned up:
Dear Vadi2323,
Your Bitcoin Forum (bitcointalk.org) password was just changed by IP address 173.224.120.147 via email recovery. If you did not do this, then you should use the forgotten password feature to change your password.
Regards,
The Bitcoin Forum Team.
I tried to log in - and password indeed didn't match. Then I changed it myself via forgot password option.
Also I checked the e-mail visit log, but it revealed my IPs only, no 173.224.120.147.
E-mail didn't seem to send messages to any other addresses too.
WTF? In other words, someone somehow changed his password bypassing the e-mail (since it doesn't look like the e-mail was compromised).
The chronology:
https://ip.bitcointalk.org/?u=https%3A%2F%2Fs8.hostingkartinok.com%2Fuploads%2Fimages%2F2018%2F03%2F622f841b86de505e1fc0c20e7a84eee6.png&t=586&c=3gzXpgExQJ7frAMoscow time:
20:21 - hacker requested the password reset via e-mail
20:50 - hacker changed the password (as if he was using the e-mail link)
20:55 - I requested the password reset via e-mail
20:56 - I changed the password (definitely using the e-mail link)
Our suppositionsReset links sent by e-mails are typal. Usually we receive a message including link like that:
https://bitcointalk.org/index.php?action=reminder;sa=setpassword;u=userIDhere;code=someCodeHerePresumably anyone can set the userIDhere to the ID of target account and get to the targetaccount's 'change password here' page.
The snag is in the last part of the link - the code. I assume that it's supposed to be unique and should be formed by engine for every request. And you can't change the password if the code is wrong.
So for now the only reasonable explanation we have is that someone just brute forced that code. Using some kind of automated tool, for example.
Accordingly the question is: can this be true? Or perhaps some other possibility to change password on the reset-email-stage without e-mail access exists?