PRIMEDICE COMPROMISED [RESOLVED] - page 4.

Stunna

legendary

Activity: 3192

Merit: 1279

Primedice.com, Stake.com

Quote from: RHavar on January 04, 2017, 12:06:41 PM

Quote from: convertekk on January 04, 2017, 11:46:23 AM

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim Grin

hah good point.

If you post your password convertekk, I'll refund you for the loss. Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option.

Quote from: convertekk on January 04, 2017, 11:59:06 AM

A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways.

So.. this isn't a unique password? okay.

convertekk

member

Activity: 84

Merit: 10

Javascript developer, Available for work

Quote from: minifrij on January 04, 2017, 12:00:18 PM

Quote from: convertekk on January 04, 2017, 11:36:25 AM

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords.

What would you suggest they did? Lock your account?

Quote from: convertekk on January 04, 2017, 11:36:25 AM

Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole.

Because it's not the website's responsibility to make sure the user has good password security. I trust that PD does all it can to secure user's passwords, although it cannot do everything.
It also isn't a loophole, it's logic. If your password is 'password123' people will guess it easily. That's not a problem with PrimeDice, it's a problem with you.

Quote from: convertekk on January 04, 2017, 11:36:25 AM

Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

And what about if a user has a dynamic IP? Should they just get locked out of their own account?

Quote from: convertekk on January 04, 2017, 11:59:06 AM

I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

If you're telling the truth and it is a completely unique password it won't matter.

You are asking the right questions. Just to the wrong person. You tell me, what should your bank do when you enter an atm pin wrongly for more than 3 times ?

Well if someone is as dumb as setting his password as password123, he deserves to be hacked but unfortunately that's not my password.

May be Stunna can answer how a user can login without a password if he is using dynamic IP. I have no idea how anybody can do it.

A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways.

RHavar

legendary

Activity: 1463

Merit: 1886

Quote from: convertekk on January 04, 2017, 11:46:23 AM

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim Grin

Stunna

legendary

Activity: 3192

Merit: 1279

Primedice.com, Stake.com

Quote from: convertekk on January 04, 2017, 11:59:06 AM

Quote from: Stunna on January 04, 2017, 11:48:50 AM

Quote from: convertekk on January 04, 2017, 11:36:25 AM

Quote from: minifrij on January 04, 2017, 11:28:21 AM

Quote from: convertekk on January 04, 2017, 10:59:51 AM

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

Quote from: convertekk on January 04, 2017, 10:59:51 AM

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

You've re-used that username on a handful of different websites including dodgier sites like blackhatworld. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right?

Quote

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week.

I'm not even sure which username you are referring to. I have multiple accounts with PD. The one that got robbed is definitely not registered with blackhatworld. Please read your emails to get my username and I've PMed you my password. I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

If it's a 100% unique password no longer in play what's the issue with sharing it?

convertekk

member

Activity: 84

Merit: 10

Javascript developer, Available for work

and can I know where exactly did you encourage your users to set a strong password ? Nowhere in the signup flow as I recall.

minifrij

legendary

Activity: 2352

Merit: 1268

In Memory of Zepher

Quote from: convertekk on January 04, 2017, 11:36:25 AM

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords.

What would you suggest they did? Lock your account?

Quote from: convertekk on January 04, 2017, 11:36:25 AM

Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole.

Because it's not the website's responsibility to make sure the user has good password security. I trust that PD does all it can to secure user's passwords, although it cannot do everything.
It also isn't a loophole, it's logic. If your password is 'password123' people will guess it easily. That's not a problem with PrimeDice, it's a problem with you.

Quote from: convertekk on January 04, 2017, 11:36:25 AM

Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

And what about if a user has a dynamic IP? Should they just get locked out of their own account?

Quote from: convertekk on January 04, 2017, 11:59:06 AM

I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

If you're telling the truth and it is a completely unique password it won't matter.

convertekk

member

Activity: 84

Merit: 10

Javascript developer, Available for work

Quote from: Stunna on January 04, 2017, 11:48:50 AM

Quote from: convertekk on January 04, 2017, 11:36:25 AM

Quote from: minifrij on January 04, 2017, 11:28:21 AM

Quote from: convertekk on January 04, 2017, 10:59:51 AM

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

Quote from: convertekk on January 04, 2017, 10:59:51 AM

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

You've re-used that username on a handful of different websites including dodgier sites like blackhatworld. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right?

Quote

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week.

I'm not even sure which username you are referring to. I have multiple accounts with PD. The one that got robbed is definitely not registered with blackhatworld. Please read your emails to get my username and I've PMed you my password. I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.

Stunna

legendary

Activity: 3192

Merit: 1279

Primedice.com, Stake.com

Quote from: convertekk on January 04, 2017, 11:36:25 AM

Quote from: minifrij on January 04, 2017, 11:28:21 AM

Quote from: convertekk on January 04, 2017, 10:59:51 AM

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

Quote from: convertekk on January 04, 2017, 10:59:51 AM

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

You've re-used that username on a handful of different websites including dodgier sites like blackhat forums. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right?

Since it is unique though, you should feel comfortable posting it here.

Quote

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week.

convertekk

member

Activity: 84

Merit: 10

Javascript developer, Available for work

Quote from: RHavar on January 04, 2017, 11:31:07 AM

BTW what was your username and password (after you changed it)? As you used a unique password to the site, so it shouldn't matter saying it here. It'll likely help primedice as they can check it against the hashed version in the database, and allow people here help you out by checking it against some combo-list sites to make sure it hasn't been leaked somewhere else

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

convertekk

member

Activity: 84

Merit: 10

Javascript developer, Available for work

Quote from: minifrij on January 04, 2017, 11:28:21 AM

Quote from: convertekk on January 04, 2017, 10:59:51 AM

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

Quote from: convertekk on January 04, 2017, 10:59:51 AM

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.

None of this in place and they defend their security. wow! It's scarier than I thought it is.

RHavar

legendary

Activity: 1463

Merit: 1886

BTW what was your username and password (after you changed it)? As you used a unique password to the site, so it shouldn't matter saying it here. It'll likely help primedice as they can check it against the hashed version in the database, and allow people here help you out by checking it against some combo-list sites to make sure it hasn't been leaked somewhere else

minifrij

legendary

Activity: 2352

Merit: 1268

In Memory of Zepher

Quote from: convertekk on January 04, 2017, 10:59:51 AM

how can a weak password be cracked Stunna ? you have a captcha on your website right ?

Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue.

Quote from: convertekk on January 04, 2017, 10:59:51 AM

User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account.
Either way, it would be significantly more than 3 or 4 attempts in that time frame.

convertekk

member

Activity: 84

Merit: 10

Javascript developer, Available for work

Quote from: Stunna on January 04, 2017, 10:41:14 AM

Quote from: Wendigo on January 04, 2017, 10:37:00 AM

Quote from: Joel_Jantsen on January 04, 2017, 10:31:06 AM

Quote from: Wendigo on January 04, 2017, 10:28:27 AM

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Indeed, there's no reason for us to believe this was a fault within our security. If I had to guess, weak password that got cracked or some sort of script/bot. Plenty of users hold much larger balances on primedice without issue (including myself).

As always I'm happy to investigate this further for you if you provide me as much information as possible beyond just your username via email.

how can a weak password be cracked Stunna ? you have a captcha on your website right ? User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?

convertekk

member

Activity: 84

Merit: 10

Javascript developer, Available for work

Quote from: Wendigo on January 04, 2017, 10:28:27 AM

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

This is a very interesting point that you have raised. Firstly, they shouldn't have let two users login from different locations, especially when a player is actively playing on one IP. Isn't that a big security loop in itself ?

Secondly, no withdrawal window popped up on my account when the hacker was trying to steal my money.

Stunna, I'm sure you can reproduce this above case and please be elegant in accepting the blame for your loopholes than blaming me. I don't have any reason to cry about 55$ when I myself have wagered 100BTC on your site.

What more information do you need other than my username and email ? wouldn't you have all the information about my bets and transactions on your database ? you want my physical address and dob or what ?

Stunna

legendary

Activity: 3192

Merit: 1279

Primedice.com, Stake.com

Quote from: Wendigo on January 04, 2017, 10:37:00 AM

Quote from: Joel_Jantsen on January 04, 2017, 10:31:06 AM

Quote from: Wendigo on January 04, 2017, 10:28:27 AM

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Indeed, there's no reason for us to believe this was a fault within our security. If I had to guess, weak password that got cracked or some sort of script/bot. Plenty of users hold much larger balances on primedice without issue (including myself).

As always I'm happy to investigate this further for you if you provide me as much information as possible beyond just your username via email.

Joel_Jantsen

legendary

Activity: 1988

Merit: 1317

Get your game girl

Quote from: Wendigo on January 04, 2017, 10:37:00 AM

Quote from: Joel_Jantsen on January 04, 2017, 10:31:06 AM

Quote from: Wendigo on January 04, 2017, 10:28:27 AM

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Makes sense but if you read the thread from page 1,OP is not the only one who faced the problems.At the same point of time,other users claimed that their wallets have been hacked too.OP say's it's an inside job but no jumping to conclusions without Stunnah's side of the story.

Wendigo

legendary

Activity: 2604

Merit: 1036

Quote from: Joel_Jantsen on January 04, 2017, 10:31:06 AM

Quote from: Wendigo on January 04, 2017, 10:28:27 AM

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they?

Joel_Jantsen

legendary

Activity: 1988

Merit: 1317

Get your game girl

Quote from: Wendigo on January 04, 2017, 10:28:27 AM

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe.

Wendigo

legendary

Activity: 2604

Merit: 1036

Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?

kolloh

legendary

Activity: 1736

Merit: 1023

Quote from: klf on January 04, 2017, 07:54:08 AM

Quote from: maku on January 04, 2017, 04:41:07 AM

Quote from: convertekk on January 04, 2017, 04:35:31 AM

Still no update from Stunna. Should I move this to the Scam Accusations thread in that case ?

Wait for it. I don't think that Stunna will gonna sweep this case under the rug. After couple days without proper response just create another thread is Scam Accusation section.
I would keep this thread in gambling section just for people who (like me) are not checking frequently other sections.

I saw Stunna asked him mail on 1st Jan and today already 4th Jan. I consider it is already sufficient time given to reply at least first information on what has happened and still how long they need it to investigate. If no reply yet means it is not a good customer support from a reputed site. If they can't manage traffic then should employee someone to handle these issues. It is just my opinion.

Perhaps, they should look into adding additional information to the transaction log such as including the IP address that initiated a withdrawl. Although, even if you know the attacker's IP address, you won't necessarily know how they were able to access your account. Although, it would help to know if the withdrawl came from your own IP or an attacker's IP address as it could help rule out attacks such as CSRF, etc.

Topic: PRIMEDICE COMPROMISED [RESOLVED] - page 4. (Read 4211 times)