Someone asked me if they could sign a message using one of the keys (ie. the bitcoin key) to prove ownership of the other addresses and have them changed. The problem with this is it leaves the pool open to social engineering. If the bitcoin key was kept on Vircurex too I don't know if it's the hacker then trying to withdraw funds from the pool. It's a bad situation. I'm open to suggestions.
I'd lose about 0.015 BTC in altcoins if there's no way to change my addresses (so I'm not terribly worried), but I'll share my thoughts:
- If the attacker has the private keys to the BTC address, he'll probably also have those for the others. I doubt there are many users that use Vircurex for BTC but not for the altcoins, so the signing method you referred to shouldn't be able to make things worse.
- My IP, wallet addresses and even user name might be known to the attacker, but I should be able to provide a piece of information that he can't possibly have: the local port number my miner is currently using.
- Some users might be using the same user name here and at your pool. Unless the forum account was registered after the breach, that should be difficult to exploit.
- This is probably too impractical given the size of the user base, but if a user still has access to his bitcoin address (but isn't in possession of the private key), the altcoins could be converted to BTC. This way, there's no risk of somebody introducing his own addresses.
I'll register a new account when the current block finishes. If I understood DGM well enough, I could lose more BTC abandoning the current round than I have in altcoins...