OK. Attack was massive, but not particularly harmful.
I enabled payouts and possibility to update withdrawal addresses.
Attention!!!
Under any circumstances don't use on Coinotron website password that you are using on other sites. Sites perpetually get hacked, their user databases compromised, passwords are then used to log in on our website.
General rule:
Use different password on each cryptocoin site you have account.
Telling users that it's 'not smart to use the same password' is a pretty damn weak excuse for not having adequate security. What did you do? Store the passwords in plaintext or something else stupid?
Also: Just noticed that you don't even allow users the option of changing password. Seriously?
Um...seriously? A brute force attack means that multiple passwords are attempted and that if you are using stupid easy passwords they get in, or if you used the same one elsewhere and they were compromised then you are screwed. Both of these scenarios have nothing to do with Coinotron and everything to do with you. Coinotron secures your information, you better as well.
I suggest using a software like Keepass generating high entropy passwords that you can copy and paste.
I do not even know most of my passwords and they are between 32 and 256 digits, mostly in the 64 digits range, if they are not limited by site.
I suggest doing something similar and securing the key databases very well with a phrase password that is very, very long and includes a random number and special character somewhere.
Anything else is just begging to get your ass kicked... but if you do it with a program, you only need to remember key databases, where you can use mnemonic devices to write down the password. This way, no one could even rubber crypto you, since you'd have to answer "Sorry, i have no fucking clue what my password is."
