#41534 - ACCOUNT HACKED


dalpower
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 3
#0

 

I have email 2fa set up and must get a code with each log in I do. Somehow Cryptopia allowed someone to log in without using my 2fa authentication and they changed my password and stole all my coins. I have changed my password today but would like some help in understanding how someone was able to bypass the 2fa and what will cryptopia do about this?



Posted: 10/16/2017 10:21:09 PM
dalpower
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 3
#1

Over 12 hours now and no response on this ticket..... If someone can get into my account without my 2fa here, then everyone's account is at risk.



Posted: 10/17/2017 12:56:07 PM
MrFloppy
Gender: Unknown
Country: Unknown
Threads: 89, Posts: 562
#2

Highly unlikely that its Cryptopia.   The most likely reason is that someone besides yourself has access to your email account.  Change your email address password.  Check and secure any service that you have used the same email address with.  an email 2FA for any service you use is only as secure as your email account, if someone already knows your password to your email address then they will able to attempt to gain control over an account that is linked to your email address.  It is always recommended to always use the stronger security 2FA options like Google Authenticator or the hardware dongle, as these options would at the least have prevented your Cryptopia account from being accessed by someone that has gained control over your email address.

You should have protected your email address with a 2FA and a strong password, and not use the same or similar passwords on other sites.  Once an attacker has access to your email account they can get access to all your other accounts eg: facebook, twitter, exchanges, forums etc.

What you should do now, is immediately secure your email address by changing your password, enabling a 2FA on it your email provider offers it, then go and change your passwords on any other site you have used with the same email address.  Do not use the same password on multiple sites, do not use the same email address to join ICOs or airdrop campaigns, coin forums, slack channels etc.

 



Posted: 10/17/2017 1:33:46 PM
dalpower
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 3
#3

My email is protected. They logged into my account without using this. 



Posted: 10/17/2017 2:03:04 PM
MrFloppy
Gender: Unknown
Country: Unknown
Threads: 89, Posts: 562
#4

My email is protected. They logged into my account without using this. 

dalpower: 10/17/2017 2:03:04 PM

 How is it protected? Just a password?  Does your address show up here as a leaked address? : https://haveibeenpwned.com/ 

If so its not as protected as an address that has not been leaked from your use of other sites.  There are also email providers that have been hacked, the most famous example is yahoo (see: https://arstechnica.com/information-technology/2017/10/yahoo-says-all-3-billion-accounts-were-compromised-in-2013-hack/ , but individual google addresses have also been hacked via app exploits, and weak passwords.  Do you use the same email address, or app that accesses that email address on your phone?  Malware apps can steal your credentials.  (Install any email checkers, price trackers, coin wallets, faucet games on your phone recently?)

 

Simply saying your address is protected does not make it so.  If you had an email 2FA enabled for login then the only way someone can login and use your account is by having access to your email address.  



Posted: 10/17/2017 2:59:33 PM Edited: 10/17/2017 3:02:19 PM