Author

Topic: Slush Pool (api.bitcoin.cz) hacked again? (Read 3243 times)

vip
Activity: 980
Merit: 1001
July 18, 2011, 08:19:11 AM
#6
we use 2 part authentication on the site. so for important changes such as wallet address you need to enter a pin as well.
hero member
Activity: 927
Merit: 1000
฿itcoin ฿itcoin ฿itcoin
In my pool I use OpenID and let someone else worry about that part of the security. You can log in with a Google account.

Of course I have to store worker passwords. They are salted and heavily hashed in the database. Not sure if worker passwords are really worth protecting, but it just feels safer to be paranoid.

Kind of pointless when they are sent over the network plain text, but w/e.
legendary
Activity: 2730
Merit: 1034
Needs more jiggawatts
In my pool I use OpenID and let someone else worry about that part of the security. You can log in with a Google account.

Of course I have to store worker passwords. They are salted and heavily hashed in the database. Not sure if worker passwords are really worth protecting, but it just feels safer to be paranoid.
newbie
Activity: 16
Merit: 0
Hmm, I'm not like that, you see

- My MtGox password is and was completely different from the one on bitcoin.cz
- Both passwords are 250+ chars long and are chosen by a password management program I'm not going to specify.

Not only that, but suppose someone was able to log in, there is no way they can change the wallet address without me noticing it via my e-mail address.
(trying to change the e-mail address would also be noticable, and the e-mail address hasn't changed)

- My e-mail address has also a 250+ char password which is different from all the others.
- My PC's aren't compromized (that I know of, there's always that creepy feeling I get sometimes and then I do another audit Smiley), and I'm a very very paranoid IT guy. All logins on any level contain strong passwords.


hero member
Activity: 927
Merit: 1000
฿itcoin ฿itcoin ฿itcoin
Everything is fine from my end.

Are you sure that password wasn't one used on mtgox?

Definitely sounds like you chose a poor password.
newbie
Activity: 16
Merit: 0
Hi, on 2011-07-15 21:33:14 my wallet address was changed to ------------------------------------------ and my limit went from 1 to 0.1 and "Notify on payout" wasn't checked any more.
I did not receive a change wallet notification via e-mail which it normally should do if you want to change your wallet address, so I'm assuming this is an internal change (DB value change).
I'm not comfortable with this at all. Are there any other victims? Please speak your mind, I would like to know if I am alone here or not.

The next logical question is, what would be the best alternative for api.bitcoin.cz?
I know there are a LOT of choices and that's the problem... Any founded suggestions would always be welcome Cheesy
Until 2011-07-15 21:33:14 I was pretty happy about the service, they could handle DDoS'es pretty well, almost no connection problems during all my months of mining...

Jump to: