Topic: WARNING! 40 000 USD was stolen fom BTC-e.com account! - page 4. (Read 10771 times)

-Not having 2FA enabled = asking for money to be stolen - 2FA is safier probably (But there are cases when it is also hacked) if they don't demand  it How can I know what other security measures were done. I can't know about them I do my business they do there.  Safety of my money it is there business. All bitcoins is a question of trust! I chose to trust btc-e because I had to make such a choice otherwise I wouldn't earn my 40 K
-Keeping 40k worth of money on a website that could disappear at any moment = asking for money to be stolen - Where to keep 40 - Where to keep 40 k in bitcoins considering that exchange rate of the bitcoin can make 20 % a day?
-Acting as if macs can't get viruses = asking for money to be stolen - It can but I've checked it has not!
-Using a service which doesn't send you an email to authorize every single transaction and then trusting said service with 40k USD = asking for money to be stolen
-"So everything was ready for the stealing." = you made it ready for stealing by not following basic security procedures (activating 2FA etc) - 2FA can be hacked as well as https if they mean that the password was stolen through that door, especially if an employee envolved.

My questions (please answer all of these so we can see what factors may have attributed to this situation):
-Were you using wifi? - Rarely most of the time I use private modem
-Were you using a wireless keyboard? - never
-What browser do you use? - tor over vpn
-Does anyone else use your computer? - no
-Do you share your wifi access with anyone else? - no
-How long is your password (roughly), is it a dictionary word? or is it a complicated set of numbers/letters. - of cause my passowrd is made by 1password
-Do you share the same password on ANY other service ANYWHERE - never

Yes I realized you and OP were separate but I asked because most people jump onto websites saying "oh no everything has been stolen" and then don't provide any information about the situation.

All we know about the original poster so far is that he didn't even have 2FA enabled, my other questions would help readers understand what other factors could have contributed to the unauthorized access of his account.

If people want to blame particular services/exchanges then that is their right, but in doing so they should at least present their side of the story in a transparent manner and let readers know all possible contributing factors to their situation before trying to point the finger at an "inside job". I believe they can answer all the questions I've asked without compromising their personal privacy too, so there is no excuse to not provide this basic information to us, it just serves as a detriment to people who may want to investigate security issues now or at any time in the future.

As a community we should also be noting down the shortcomings of particular exchanges--part of this relies on knowing the customers side of the story too.

If they did take every conceivable precaution (such as activating 2FA, running regular antivirus/malware scans etc etc) then I wouldn't even need to ask these questions. As it is, anyone who is reading this thread and doesn't have 2FA enabled for their accounts should be dedicating the next few minutes of their life to start using it.

btc-e must be able to see where the majority of those funds went. things like this piss me off, they continually refuse to work with customers in situations like this........

To be precise: I missinterpreted your question about wifi, im connected with the cable to my router, but can do wifi aswell. sorry
And no, I'm not OP so they can even steal my password of my wallet, there is 0 in it.

Thanks for the info. The same applies though, if you share the same username between services then it is relatively easy for someone to then find your email address and then expand from that to find other information about you.

Anyone that engages with you in a conversation and provides a link could gather your IP address from your visit to said link (depending on what website it is obviously) or install malware directly onto your PC.

It is a good practice to use a VPS when using these sites to mask your true IP address at all times.

btc-e doesn't allow email-address as a login.

Edit: and they lock your account after 3 failed login attempt. No way can an attacker guess your password using just 3 attempts. Unless it's "123456" or "password"

So its more a case of unauthorized trades rather than OP's claim that "40 000 USD was stolen".

I guess it serves as a great lesson on why bothering to learn about 2FA (which takes about 2-3 minutes) could save your account from unauthorized access. Just because a mobile can also be hacked it doesn't make it any less useful of a security feature.

Another question I have is what email address/username was used in this situation, is it one that is shared among other websites of the same nature or was it a unique email address that was never actually used for email purposes?

If your email address even shows up on a Google search that means it is vulnerable. You should have a unique, unknown, unused (besides verification and sign up) email address/username that is not listed on any search engine to maximize security. If you don't have a unique username then you should have a super common one that shows up everywhere.

Using wifi isn't the greatest idea when money is at stake.

btc-e does require email verification for withdrawals.  Which is why this is probably OPs funds being stolen:

Windows 7
Firefox
Yes
No
No, only me.
No
15 chars, it was a mix of latin word number and special chars.
No, that password was unique, at least for the email.

I'm still wondering why he requested password change of a game "Trion Worlds", of an empty cex.io account, and another account of stellarix(empty too) and all those passwords were differents.
Side Note, why he didn't asked to change passwords to my porn sites? maybe because they were all free accounts. 

Again if you're going to say your email address or any account was hacked please provide the following information:
-What operating system?
-What browser do you use?
-Were you using wifi?
-Were you using a wireless keyboard?
-Does anyone else use your computer (at ALL)?
-Do you share your wifi access with anyone else?
-How long is your password (roughly), is it a dictionary word? or is it a complicated set of numbers/letters.
-Do you share the same password on ANY other service ANYWHERE?

Exactly--this should be common practice. 40k USD isn't exactly pocket change for most people.

There really should be a rating system for the various exchanges, what security measures they offer as well as a track record of their history (sort of like coinssource we need an exchangesource if such a thing exists)

Email confirmation of transactions/withdrawals will at the very least prove the exchange is extremely unlikely to involved in theft from accounts and would point at the user's computer being compromised (or similar).

and I'm still wondering how the hell they hacked into my email too.
The password I personally used was a complex one, but they still managed to enter and change it, and they even gone to my cex.io without issues and that password was one time used and they searched for any btc in it(luckily it was empty, I was only lurking there)
but still, they managed to reset some of many not bitcoin related websites/games password
But hell, I would never trust a website to hold 40K dollars, maybe only on my computer, inside a virtual machine.(If I break that virtual machine im damned to hell but, I would use that method.

Man this situation makes me sick to the stomach, hope your end up with some kind of result OP, no idea what you should do, BTC-e support is your only hope though.

Yes of course ,with the simple 2FA you have a "strong"  level of security but as you told also the  email for confirm the withdraw will add a much level of security.

However as I always said, you will should never keep your money in an exchange (for 1-2 days) -instead- you have to deposit > make the exchange and then withdraw all your "coins" to your personal wallet.

2FA alone is not enough--every service that holds cryptocurrency should require verification via email combined with 2FA authentication (this is what Poloniex does). Withdrawals should require the same.

Any service that runs without these basic features is just asking for money to be stolen.

They ought to investigate, I'm with you on this. I have an account with btc-e and I sincerely hope they didn't just tell him to f*ck off. At least not right away.

Before you go assuming your mac is perfect and your password alone is enough to protect you--it isn't. I've seen macs firsthand with viruses. Nowadays visiting a single website is enough to completely compromise your system.

My opinion:
-Not having 2FA enabled = asking for money to be stolen
-Keeping 40k worth of money on a website that could disappear at any moment = asking for money to be stolen
-Acting as if macs can't get viruses = asking for money to be stolen
-Using a service which doesn't send you an email to authorize every single transaction and then trusting said service with 40k USD = asking for money to be stolen
-"So everything was ready for the stealing." = you made it ready for stealing by not following basic security procedures (activating 2FA etc)

My questions (please answer all of these so we can see what factors may have attributed to this situation):
-Were you using wifi?
-Were you using a wireless keyboard?
-What browser do you use?
-Does anyone else use your computer?
-Do you share your wifi access with anyone else?
-How long is your password (roughly), is it a dictionary word? or is it a complicated set of numbers/letters.
-Do you share the same password on ANY other service ANYWHERE?

Regardless of you being slightly naive (my personal opinion anyway) with a lot of these, this service should still be assisting you (once they have identified you are the legitimate account holder).

few years back there was a security breach with liberty reserve deposits, allowing the attacker to  deposit fake usd in unlimited quantities,
attacker used funds to buy bitcoin and litecoin and then withdrew them, what btc-e did was to roll-back every transaction on btc-e to the state before the attack took place.

im not saying they should do the same now, but atleast they can investigate the theft, compare ip's used to login to his account and compare it to the ones that benefited the most out of trades.
its likely that the attacker used vpn, but maybe he didnt, maybe its just some skid that grabbed his login in some lame way, iwe seen alot of them over the years.
but to tell someone its their own faul and goodbye, well mister, you just lost some customers, presuming this story turns out to be true.

cheers

Oh thanks I've "skipped" that part, so it is also a fault of the OP. The 2FA *must* be active in each exchange/site when you are "depositing/saving" your money (it is a basically rules/concept).