Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Pools
Merits 1 from 1 user
Re: [CLOSED] BTC Guild - Pays TxFees+NMC, Stratum, VarDiff, Private Servers
by
eleuthria
on 09/12/2015, 07:54:59 UTC
⭐ Merited by STT (1)
The pool is now completely shut off, 177 days after the initial closure announcement.  This is 87 days more than was promised in our Terms of Service, the FAQ, and forum posts in the past about our closure process.  I had been extending the shutdown process to give more time for those who don't pay attention, but problems this evening have forced me to finally stop providing extensions and finish the shutdown.

After the pool removed its servers from colocation, the frontend was rewritten to provide a reduced functionality version that could run on a single temporary webserver to continue allowing withdrawal requests.  This rewrite required significant removal of checks that used to be done between multiple servers and DDoS protection scripts used to identify brute force attacks.  Since the site was no longer active, I assumed these shouldn't be required anymore since if somebody DDoS'd the site, it didn't really affect anything other than delaying withdrawals for a few hours/days until the attack stopped.

Unfortunately, this inadvertently removed the site's brute force protection on logins.  This evening, approximately 400 accounts (out of over 1 million) were logged into and had attempts to change the addresses.  Accounts that had no email setup for authentication were immediately changed, while those with emails setup received emails with a confirmation link.  Locked accounts obviously had nothing available to them.

Knowing that stripping out many layers of site functionality may have inadvertently added attack vectors, I removed automatic payout processing, leaving it as a fully manual process after the server move.  This allowed me to catch the fact that this happened and prevent the attacker from getting a payday (even if the total amount wasn't even half a Bitcoin).

---

Please remember going forward:  Don't re-use your usernames and passwords on multiple sites.  There are databases out there with tens of millions of username+password combinations.  There are likely over a million just from Bitcoin sites that have been compromised over the last 5 years.



EDIT:  To be clear, there is no evidence that this brute force attack was anything other than login attempts using usernames/passwords from a non-BTC Guild source.  If the attacker had information from BTC Guild's database, or the ability to modify it, they certainly wouldn't have hit ~400 accounts with a combined balance of less than 0.5 BTC.  All account wallet changes were done through the website (indicating no ability to modify the database), and was completely random in which accounts were affected (indicating no ability to access database information).