Post: String of Bitcoin Mining/Exchange Site Hackings
Options
04-28-2013, 07:41 AM
#1
Clouds
Error 404: Title Not Found
Bitcoins. They are an unknown form of currency to much of the population. But to those who know what they are and those who invest in them, they are a wonder. Bitcoins are a decentralized form of currency. There are no rules about them, other than there are 21 million available. They are similar in ways to gold, or even the stock market. Read more about them here: You must login or register to view this content.
Most recently, the Bitcoin exchange site Bitcoin-Central was hacked. With this hacking, they lost a few hundred Bitcoins. To those that don't know what the value of the Bitcoin is, you may think that it's not that bad. A single Bitcoin is worth, at this moment, $131.30. Now multiply that by a few hundred. Just as bad, Bitcoin.cz (aka slush's pool), one of the first Bitcoin mining pools, and the one I am in, has also been hacked. As well, the hacker made off with some Bitcoins from there, too. Both providers have confirmed to be reimbursing affected users.
Initially, the owner of the mining site, slush, thought the hack to be a simple SE by a hacker. He initially thought that the e-mail to his account had been reset, and he was locked out of the site. Luckily for the users, he was watching the servers at the time and noticed it quickly, so not many Bitcoins were made off with.
As for Bitcoin-Central, I'm not sure how quickly they noticed the attack or if they have any thoughts on it. They are a very large site that traffics in exchange of Bitcoins to currency, so the BTC made off with is about equal to the traffic.
Now keep in mind that these weren't the only sites hacked, but they are the only ones I know of. Allow me to fill you in on one final detail. All the hackings occurred on sites all hosted by OVH.
What do you think now, reader? Was it an inside job or just poor security? Nothing is confirmed yet, but I'm leaning more towards it being an inside job.
Slush's post regarding his site hacking:
Originally posted by another user
Today at 3pm UTC I noticed that somebody succesfully resetted the password to OVH manager, the place where servers can be managed, restarted to rescue mode etc. I promptly resetted the password at OVH to something different and I also changed password on my email account and checked that there're no other active connections to my mailbox. I have to say that my mailbox is secured by OTP passwords and I take physical security very seriously, so nobody other had an access to my mailbox. I known that password-reset feature is quite popular attack vector, so I made everything possible to prevent it to happen.
By changing the password at OVH, all other sessions using the old credentials are automatically kicked from the Manager. I also cross-checked that nothing wrong happen to the servers at this time. Unfortunately I didn't find a way how the attackers got access to Manager, so I asked OVH support to provide some additional information and restrict Manager access to my IP range.
That's no surprise that OVH didn't respond to this ticket for hours, but at 11pm UTC I realized that there's another succesful password reset at OVH. This is complete mystery to me, because I'm aboslutely sure that nobody else had access to my mailbox and the email with reset link has been untouched (unread, not deleted). I'd say that attacker won't bother by changing status of the email to "unread", but he'd delete the email instead.
This time I realized that the attacker resetted the machine with the wallet to rescue mode, which means that I lost the control to this machine. I was still succesful by logging into the database and I took the snapshot of database and transferred it to safe location. Few seconds since the migration finished, attackers restarted all remaining machines to rescue mode.
So far it looks like yet another inside job, like Linode two years ago. Or attackers found some shortcut how to gain access to Manager without confirming the request from the email. I don't know what's worse option. I'll investigate this issue in detail later and I hope OVH won't close eyes to this.
I can recover the pool to the normal operation tomorrow.
By changing the password at OVH, all other sessions using the old credentials are automatically kicked from the Manager. I also cross-checked that nothing wrong happen to the servers at this time. Unfortunately I didn't find a way how the attackers got access to Manager, so I asked OVH support to provide some additional information and restrict Manager access to my IP range.
That's no surprise that OVH didn't respond to this ticket for hours, but at 11pm UTC I realized that there's another succesful password reset at OVH. This is complete mystery to me, because I'm aboslutely sure that nobody else had access to my mailbox and the email with reset link has been untouched (unread, not deleted). I'd say that attacker won't bother by changing status of the email to "unread", but he'd delete the email instead.
This time I realized that the attacker resetted the machine with the wallet to rescue mode, which means that I lost the control to this machine. I was still succesful by logging into the database and I took the snapshot of database and transferred it to safe location. Few seconds since the migration finished, attackers restarted all remaining machines to rescue mode.
So far it looks like yet another inside job, like Linode two years ago. Or attackers found some shortcut how to gain access to Manager without confirming the request from the email. I don't know what's worse option. I'll investigate this issue in detail later and I hope OVH won't close eyes to this.
I can recover the pool to the normal operation tomorrow.
If any users here have sites hosted by OVH or use VPS from them, continuing with them should be considered a security risk for the moment. At least until we can receive further confirmation that this was not an inside job and security has been increased. I am aware that handling Bitcoins is a very shaky thing, considering transactions are untraceable, but a provider hacking a site it hosts is a security risk for anyone using them.
Note that since there is not section for amateur reporting, I am posting this in the most relevant section. (Internet due to hosting providers being involved)
The following user thanked Clouds for this useful post:
04-30-2013, 11:08 AM
#2
ResistTheSun
In Flames Much?
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
