Topic: Wallet Hack on 4/25 - page 2. (Read 11212 times)

Keyfiles stored on your computer would have to be uploaded to their servers for hashing, OR your client side browser will have to perform the hashing offline, and submit your result online.

In either case, MITM or eavesdroppers can intercept the keyfiles. There would have to be some sort of public key or SSL encryption going on for this to work, so no one else can grab your keyfile or the hash of that keyfile.

If your computer is compromised, they can get your keyfile.

I would like to see sites use KEY files like true crypt does (but check client side never upload)....a JPG as a KEY file is basically unhackable, even keyloggers would be hard as they would have to record where you pointed your mouse

Here is an example of my logins for banks and Mt. Gox:

Username: kl2uggsyf3yue9g4e2
Password: t#nocq2*l4c*b1yibxf%tazzh0^$)^ft0

Both are limited by what the system will accept. Some of my bank usernames only accept letters and numbers (alphanumeric). Some corporate bank accounts also include a bank generated company code (which I don't have control of).

The above is not an actual account, it is just an example.

For forums, like this one, I use a simple username, like, Dabs. The password is just as long and complicated.

Where my username is not likely to ever be seen by anyone else, I pick a long random username. Banks and bitcoin exchanges and bitcoin wallets are examples.

Do any of those wallets have easily guessable aliases?  I imagine if they had, they would be empty now.  Of course, now you're forcing email confirmation for aliases (sometimes, always?) so it wouldn't work so easily.

Alias was very short so may have been hackable.  Password was 15 characters long but made up of multiple words that may have been found in dictionary.  Possible but permutations to put that many words together would still be extremely high.

thats why you need 20 plus long password

Guess there are a lot of GPU clusters coming available now that are basically set up for brute forcing passwords .... "strong" password does not mean what it used to?

I now believe I know how they got my friend's coins.


She'd given her account a short, 4-letter alias.  Her 10-letter password began with that alias, in a way that a human might be able to guess the first 8 letters(the final two were numbers).  Doh.
 
I believe that several attack vectors are being used, and that one is someone is cycling through short aliases, perhaps regardless of spelling, and longer aliases that are dictionary words. Knowing the alias used to be enough, without 2 factor, for blockchain.info to give up your encrypted wallet. They are then brute forcing passwords, trying both common passwords, dictionary words, and others beginning or ending with the alias.

Update - after speaking some more with my affected customer I am no longer convinced his password was indeed strong enough.

Maybe passwords were brute-forced after all? silvereagle - just how strong was your password?

Will be happy to hear about any progress in figuring this out.

okay....then the injected javascript or sever-side client re direct hack

that wouldn't be the case with me though Jubalix - I used a unique alias and unique password on blockchain.info - couldn't have pulled it from anywhere else.

I too have received 5 "login requests" in the past few days 1 from sweden and 4 from the USA. Too bad someone already hacked into my wallet and took my .5 btc on 4-21. They can have the .00000004 for all I care.

.5 hacked and sent to 1DvySR2sgb1iZHBePQ9H3Vv1PoVYrDsF5A


login requests from USA IP
USA Time: 2013-04-27 20:56:57
IP Address: 69.40.145.118

login request from Sweden on the  26th
Time: 2013-04-26 20:48:33
IP Address: 194.132.32.42 (Sweden)

I got this email too:

----
Authorize log-in attempt

An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:

Time: 2013-04-26 22:03:19
IP Address: 46.167.245.50 (Czech Republic)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

If the above details are correct please use the following login link:

https://blockchain.info/wallet/

If this login attempt was made by you this email can be safely ignored however you may wish to change your wallet alias.
----

I don't have any coins there, so good luck with that. However, I used a common word as the wallet identifier, as some other people here apparently did. I am guessing someone is blindly trying weak identifier/password combinations.

there's going to be some unhappy people in the next 48 hrs.

I note with the email I received, it checked out as me at my computer from my IP....??

maybe my computer is infected?

the times appeared to be consistent with my own login...not malware...




but I do not run java

so you seem to think they are getting passwords and usernames and alot of people use the same on diff sites...!

Someone tried to login to my blockchain.info wallet, too. I don't have any coins there and can't even access it myself (lost the password), but the timing is curious.


The alias for that identifier is my username here, so it might be a coincidence. Just thought I'd let you know, in the off chance that this is related and might help. This is the first time I received such an email, even though I made that wallet last year IIRC.

that could be quite true. blockchain.info should monitor access/ip patterns to spot such attempts.

more importantly, i stronly suggest to enable two factor authentication. (and if you use email, think about the email security … gmail has 2FA too)

I probably missed it, but had any of the involved accounts 2FA enabled?

So, interesting development this morning.  I shut down the wallet I had with blockchain.info yesterday after it was potentially compromised and decided to just start with a fresh new wallet hosted there.  Very strong password, different identifier.  Java not installed on my machine and scanned for malware.

Received this this morning -- from blockchain.info notification:

Authorize log-in attempt
An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:
Time: 2013-04-27 07:17:42
IP Address: 77.109.138.42 (Switzerland)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1. Gecko/20051111 Firefox/1.5
If the above details are correct please use the following login link:
https://blockchain.info/wallet/[blocked out for obvious reasons]
If this login attempt was made by you this email can be safely ignored however you may wish to change your wallet alias.

and this...

An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:
Time: 2013-04-27 08:38:09
IP Address: 5.9.121.38 (Germany)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1. Gecko/20051111 Firefox/1.5
If the above details are correct please use the following login link:
https://blockchain.info/wallet/[blocked out for obvious reasons]
If this login attempt was made by you this email can be safely ignored however you may wish to change your wallet alias.

Apparently there is still some sort of malware out there attempting to hack the blockchain.info service.  Machine was clean when I set this new wallet up, only way I think they could've possibly found the address is through scanning potential aliases.  Admittedly, my alias is a plain word so possible they could've just tried brute force finding an alias that would lead them to identifier and tried to log in from there.  Otherwise, can't imagine how they would've gotten it.  Just a lead for PIUK to follow if he's interested in trying to button up security on the site.

I think that the problem is not so much ignorance as it is that computers (including various devices) and networks are not designed for keeping information private.  Indeed, the trend is strongly in exactly the opposite direction (think Carrier IQ.)
 
If a person's pics from the wedding they attended the weekend before were as valuable as BTC there would be few which remain private for very long.  It is unlikely that things are going to turn around simply because it is needed to make Bitcoin safe for users.  Probably just the opposite in fact.  OTOH, I do expect that if Bitcoin is not quashed in it's early phases, there will be large and competent service providers who will kindly take care of user's BTC for them, and will likely do it...um..."for free" as is the case with e-mail, social media, etc, etc.  Problem solved.