Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Meta
Re: Hundreds of thousand of bitcointalk accounts hacked
by
rizzlarolla
on 21/03/2017, 15:18:02 UTC
Quote from: NLNico on March 21, 2017, 04:56:51 AM
snip

Thanks for clarifying Nico.
I don't have any real problem with your assessment. You have helped answer possibilities of who and why. I shall bear it in mind.
I do see some evidence that accounts under u=100,000 are more affected than accounts over u=100,000.

That does not mitigate admin from taking simple action's to counter this. (if they think mass hacked accounts is a bad thing)

Let me try to show here how clear this is to detect, and therefore how easy to counter it could be.
Let's just look at (some of) 1 day - Feb 19 2017. Lets look at the activity of the first 20 accounts from various round numbers as a sample, so

u=1000 - u=1020
https://bitcointalk.org/index.php?action=profile;u=1003  cookie                  0 post  March 07, 2017, 05:54:51 AM (was feb 19, 12.03pm)
God damn, that was feb 19 last i looked, now mar 7
(1002, 1004, 1005, 6, 7, 8, 9, 11, 12, 13, 14, 15, 18, and 1020 "do not exist", so not much to hack there)

u=2000 - u=2020
https://bitcointalk.org/index.php?action=profile;u=2003  McKyle025           0 post    March 07, 2017, 04:07:31 AM (was feb 19, 12.03pm)
https://bitcointalk.org/index.php?action=profile;u=2004  marktaylor142      0 post   March 07, 2017, 09:16:18 AM (was feb 19, 12.05pm)      
https://bitcointalk.org/index.php?action=profile;u=2005  kavindave26         0 post   March 07, 2017, 08:01:11 AM (was feb 19, 12.58pm)
https://bitcointalk.org/index.php?action=profile;u=2008  celina111             0 post    March 07, 2017, 06:55:41 AM (was feb 19, 12.18pm)
https://bitcointalk.org/index.php?action=profile;u=2011  reverselockup23    0 post    March 07, 2017, 10:31:53 AM (was feb 19, 12.45pm)
https://bitcointalk.org/index.php?action=profile;u=2012  nadav001              0 post    March 07, 2017, 07:48:42 AM (was feb 19, 12.07pm)
https://bitcointalk.org/index.php?action=profile;u=2017  aranaahmed1         0 post   March 07, 2017, 08:21:32 AM (was feb 19, 12.05pm)
Ok, these were all feb 19 as well, now all mar 7 also. This is exactly why admin need to save "snapshots" of activity of all accounts as i described.
(2001, 2002, 6, 13, and 2014 "do not exist")

u=3000 - u-3020
https://bitcointalk.org/index.php?action=profile;u=3000  Rai                      12 post  February 19, 2017, 12:19:35 PM (last post 2011)
https://bitcointalk.org/index.php?action=profile;u=3003  v-tim                    3 post   February 19, 2017, 12:33:30 PM (last post 2011)
https://bitcointalk.org/index.php?action=profile;u=3011  tyler123                0 post   February 19, 2017, 12:19:50 PM
https://bitcointalk.org/index.php?action=profile;u=3019  ngatyeu87             0 post   March 01, 2017, 02:43:47 AM     (was feb 19, 12.30pm)
So most of these are still feb 19. 1 changed, again showing how the evidence is slowly dispersed.
(3002, 5, 6, 7, 8, 9, 10, 14, 15, and 2016 "do not exist")

u=4000 - u=4020
https://bitcointalk.org/index.php?action=profile;u=4011  brynfrlin                 0 post   February 19, 2017, 12:28:49 PM
https://bitcointalk.org/index.php?action=profile;u=4014  aq8586                  0 post   February 19, 2017, 12:53:54 PM
https://bitcointalk.org/index.php?action=profile;u=4017  menoskedos           0 post   February 19, 2017, 12:47:28 PM
https://bitcointalk.org/index.php?action=profile;u=4018  qaz22                    0 post   March 01, 2017, 08:05:16 AM     (was feb 19, 12.46pm)
Most still show feb 19. 1 change to march 1 same as above list.
(4001, 4, 5, 7, 8, 10, 16, 19, 4020 "do not exist")

Lets skip 5000 accounts to this list i quoted on previous page,

u=9000 - u=9020
https://bitcointalk.org/index.php?action=profile;u=9003  Micro333              0 post    February 19, 2017, 01:18:36 PM
https://bitcointalk.org/index.php?action=profile;u=9005  Qrr                       2 post    February 19, 2017, 01:28:59 PM
https://bitcointalk.org/index.php?action=profile;u=9009  Trance555             0 post    February 19, 2017, 01:28:07 PM
https://bitcointalk.org/index.php?action=profile;u=9011  twadsworth            0 post   February 19, 2017, 01:16:27 PM
https://bitcointalk.org/index.php?action=profile;u=9012  FictionWobbles333  0 post   February 19, 2017, 01:27:05 PM
https://bitcointalk.org/index.php?action=profile;u=9013  MoodFool333          0 post   February 19, 2017, 01:28:08 PM
https://bitcointalk.org/index.php?action=profile;u=9014  marish                   0 post   February 19, 2017, 01:38:06 PM
https://bitcointalk.org/index.php?action=profile;u=9015  BlackRunner111      0 post   February 19, 2017, 01:15:55 PM
https://bitcointalk.org/index.php?action=profile;u=9016  jhallsworth             0 post    February 19, 2017, 01:28:12 PM
https://bitcointalk.org/index.php?action=profile;u=9020  carter                     0 post   February 19, 2017, 01:20:13 PM
I think these are still correct.

And on to u=11000 - u=11020
https://bitcointalk.org/index.php?action=profile;u=11003  breakbank4            0 post   March 01, 2017, 06:27:51 AM    (was feb 19, 2.08pm)
https://bitcointalk.org/index.php?action=profile;u=11007  yashrajskio            0 post   February 28, 2017, 10:27:43 PM (was feb 19, 2.08pm)
https://bitcointalk.org/index.php?action=profile;u=11008  ronanlepp              0 post   February 19, 2017, 02:07:35 PM
https://bitcointalk.org/index.php?action=profile;u=11010  jacktralia               0 post   February 19, 2017, 01:53:45 PM
https://bitcointalk.org/index.php?action=profile;u=11014  ameldajones          0 post   February 19, 2017, 02:07:52 PM
https://bitcointalk.org/index.php?action=profile;u=11019  slotcar101             0 post   February 19, 2017, 01:59:50 PM
Couple changed. 1 mar 1st again. Dispersing the evidence. But as i had it recorded, it can never be lost - as theymos can easily do.

See how the time frame goes from around 12pm - around 2pm over 11000 accounts, short work!
theymos could confirm my "was feb 19" time and date is accurate, if he saved the correct info, and if he could be bothered.
So regardless of weather it is 100,000 accounts or "just" 10's of thousands, i hope it is clear how easy it is to spot.

This carries on on different dates, 27 January 2017 for example,

u=25,000 - u= 25020
https://bitcointalk.org/index.php?action=profile;u=25005  inertiatic          0 post   January 27, 2017, 05:50:53 AM
https://bitcointalk.org/index.php?action=profile;u=25007  Jepp                0 post   January 27, 2017, 06:10:37 AM
https://bitcointalk.org/index.php?action=profile;u=25008  bottommaster   0 post   January 27, 2017, 06:11:44 AM
https://bitcointalk.org/index.php?action=profile;u=25014  basseffekt        0 post   January 27, 2017, 05:51:37 AM
https://bitcointalk.org/index.php?action=profile;u=25017  badinstincts     0 post   January 27, 2017, 05:52:50 AM
https://bitcointalk.org/index.php?action=profile;u=25018  pero991          6 post   January 27, 2017, 05:59:17 AM (last post 2011)
https://bitcointalk.org/index.php?action=profile;u=25019  dragoon1001   0 post   January 27, 2017, 05:42:25 AM
https://bitcointalk.org/index.php?action=profile;u=25020  MrMaple          1 post   January 27, 2017, 05:58:58 AM (last post 2011)

And the list goes on and on. The time rota being totally obvious.

So after looking at 140 accounts, minus around 40accounts "do not exist", so 100 possible accounts to hack, 42 are hacked here.
That equates to around 40% of all early accounts being hacked. (early accounts in this sample)
All clear as day.

No reason for mods to spout "there is nothing we can do". (i presume admin are saying the same to themselves)
theymos must save the data as previously instructed by me (take him a few minutes) or forever be complicit in this.