Jump to content

a few user reported their gatehub wallet been hacked and XRP sent to r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k


Recommended Posts

1 hour ago, jlripple said:

Well I suspect this hack might be due to one of the API being exploited. No other way to explain how the thieves can just grab users' XRP without even logging in!!!

So the thief had a list of random email addresses and potentially passwords. They used this list and the API to determine which email address is linked to which wallet address. If they had a hit they could then see if they could login to the email service and search for an email containing the key. Maybe a lot of people email their key to themselves for 'safekeeping'.

Link to post
Share on other sites
  • Replies 1.2k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

On June 1 we were made aware of a theft of 201,000 XRP (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) and immediately started investigation. It turned out that the acco

Hey all! We are aware of the matter and are looking into it. If anyone has any information please contact us at: security@gatehub.net   GateHub

Reminder: There is no direct evidence pointing to Gatehub being responsible even though it may appear as the most likely scenario right now. Just be careful about jumping to conclusions What you c

7 minutes ago, kachel said:

So the thief had a list of random email addresses and potentially passwords. They used this list and the API to determine which email address is linked to which wallet address. If they had a hit they could then see if they could login to the email service and search for an email containing the key. Maybe a lot of people email their key to themselves for 'safekeeping'.

I did not save the key electronically I physically wrote it down on the note for my safekeeping. I saw a lot other victims did the same. I don't think the hackers did it that way.

Link to post
Share on other sites
6 minutes ago, kachel said:

So the thief had a list of random email addresses and potentially passwords. They used this list and the API to determine which email address is linked to which wallet address. If they had a hit they could then see if they could login to the email service and search for an email containing the key. Maybe a lot of people email their key to themselves for 'safekeeping'.

Reading the statement by gatehub yesterday about them turning off the access API on the 1st June 2019 but accounts still being robbed of their XRPs I believe the hackers somehow have access to the secret keys plus a way to decrypt them 

Link to post
Share on other sites
4 minutes ago, kachel said:

So the thief had a list of random email addresses and potentially passwords. They used this list and the API to determine which email address is linked to which wallet address. If they had a hit they could then see if they could login to the email service and search for an email containing the key. Maybe a lot of people email their key to themselves for 'safekeeping'.

Can we stop with the “maybe” and other assumption as it just makes the victims look like an absolute idiot.

As Gatehub (CEO) stated the API Token was compromised hence whatever the hackers have accumulated in terms of keys before June 1 after they have disable the access will be on the target list of the thieves.

Link to post
Share on other sites
19 minutes ago, cjeremys2 said:

Can we stop with the “maybe” and other assumption as it just makes the victims look like an absolute idiot.

As Gatehub (CEO) stated the API Token was compromised hence whatever the hackers have accumulated in terms of keys before June 1 after they have disable the access will be on the target list of the thieves.

Sorry about that, I was trying to be constructive but could have chosen my words more carefully. I had a theory which is probably not the case. Can you help me understand which API token? The thief has gained access to hashed / salted keys via this token?

Link to post
Share on other sites
35 minutes ago, jlripple said:

Reading the statement by gatehub yesterday about them turning off the access API on the 1st June 2019 but accounts still being robbed of their XRPs I believe the hackers somehow have access to the secret keys plus a way to decrypt them 

So the hackers could continue decrypting them one by one and keep on stealing funds, not knowing if they've got all the adresses. Which would mean everyone should remove their XRP's from gatehub and that specific wallet adress and make a new one...

Would be nice if GH would give some more info and assure its all safe now. On the other hand, advising all they're customers to go away is suicide...

Link to post
Share on other sites
8 minutes ago, kachel said:

Sorry about that, I was trying to be constructive but could have chosen my words more carefully. I had a theory which is probably not the case. Can you help me understand which API token? The thief has gained access to hashed / salted keys via this token?

Apologies as well as I just hate the fact that other people still put salt on an open wound even though we know that this is Gatehub's security flaws since the number of victims are now up to "81" and still counting yet other are still stating that it might be password or victims telling their peers about their secret key. I myself don't even know my secret key from 2 years ago when I created my account on Gatehub.

Also this API Access or API Call is part of Gatehub's infrastracture that allows customers to use an email address as a contact for sending funds. I'm not a hacker literate but it seems that they are able interfere with this API Access in order to gain information to the victim's keys but this doesn't answer the fact that some of the victims "have not logged in for years" yet hackers were still able to access their keys and stole their XRP.

I think we should all be asking the questions to @gatehub rather than play this assumption game about the victims password etc. especially when we have now at least 81+ victims and the fact that Gatehub is not giving updates on hourly or even daily basis makes me suspicious that they want to downplay this issue and let all the victims face their losses.

Link to post
Share on other sites

 

20 hours ago, gatehub said:

We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys.

That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys.

All access tokens were disabled on June 1st after which the suspicious API calls were stopped.

 

1 hour ago, Silkjaer said:

Latest thefts happened yesterday [June 4th, red.]. They have cashed more out today.

 

1 hour ago, jlripple said:

Reading the statement by gatehub yesterday about them turning off the access API on the 1st June 2019 but accounts still being robbed of their XRPs I believe the hackers somehow have access to the secret keys plus a way to decrypt them 

 

1+1= Gatehub should e-mail all users asap to have them move funds to hosted wallets, safe addresses or re-key them.

@gatehub@Silkjaer@alloyxrp@enej

 

Unless they know exactly which addresses were exposed and who to contact, but that doesn't seem so from the outside. As the nr of victims already seems to outnumber their previous statement:

20 hours ago, gatehub said:

At the moment we estimate that 58 XRP Ledger wallets were compromised.

1 hour ago, Silkjaer said:

A small update from our research, we are now counting 80+ (most likely) victims.

 

 

Edited by zero-2-9
typo
Link to post
Share on other sites
2 minutes ago, mrenne said:

Are there victims that have not been contacted by GateHub? 

The people who received the email from GateHub are the ones who already got hacked.  Honestly, GateHub should just email everyone at this point.  No reason to make more suffer. 

Link to post
Share on other sites

According to GateHub's statement in this thread and other available information I can disseminate the following:

  • GateHub had flaws in their API authentication/authorisation mechanisms, which ultimately enabled the thief to access encrypted wallets.
  • GateHub knows who the potential victims are and only a non-sequential subset of users has been contacted. This means that GateHub was able to determine which encrypted wallets leaked - perhaps via API access logs. There are users with old accounts that have not received an email about this breach from GateHub.
  • Potential attackers could learn about GateHub's wallet encryption algorithms from the client-side source code of their wallet software.
  • GateHub had a possibly unrelated issue with their API and/or rate-limiting in April this year, which allowed the attackers to obtain some information about GateHub accounts.

As someone else pointed out - we have to find out if the victims used weak passwords or passwords that were used elsewhere and could be cracked by a dictionary attack.

Edited by Milk
Link to post
Share on other sites
40 minutes ago, Personology said:

The people who received the email from GateHub are the ones who already got hacked.  Honestly, GateHub should just email everyone at this point.  No reason to make more suffer. 

I would just let Gatehub deal with it as this will be classed as "negligence" in their part to not inform the customers about security issues. 

To be honest this was already the case for the Victims that got hacked on the 30-31st of May as apparently Gatehub was already aware before the following date that this attack was happening. Yet they have only sent an email on the 3rd of June about it for the customers that got hacked on the 30-31st of May.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.